extauth.proto

Package: enterprise.gloo.solo.io

Types:

Source File: github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto

AuthConfig

This is the user-facing auth configuration. When processed by Gloo, certain configuration types (i.a. oauth, opa) will be translated, e.g. to resolve resource references. See the ExtAuthConfig.AuthConfig for the final config format that will be included in the extauth snapshot.

"namespacedStatuses": .core.solo.io.NamespacedStatuses
"metadata": .core.solo.io.Metadata
"configs": []enterprise.gloo.solo.io.AuthConfig.Config
"booleanExpr": .google.protobuf.StringValue

Field Type Description
namespacedStatuses .core.solo.io.NamespacedStatuses NamespacedStatuses indicates the validation status of this resource. NamespacedStatuses is read-only by clients, and set by gloo during validation.
metadata .core.solo.io.Metadata Metadata contains the object metadata for this resource.
configs []enterprise.gloo.solo.io.AuthConfig.Config List of auth configs to be checked for requests on a route referencing this auth config, By default, every config must be authorized for the entire request to be authorized. This behavior can be changed by defining names for each config and defining boolean_expr below. State is shared between successful requests on the chain, i.e., the headers returned from each successful auth service get appended into the final auth response.
booleanExpr .google.protobuf.StringValue How to handle processing of named configs within an auth config chain. An example config might be: ( basic1 || basic2 || (oidc1 && !oidc2) ) The boolean expression is evaluated left to right but honors parenthesis and short-circuiting.

Config

"name": .google.protobuf.StringValue
"basicAuth": .enterprise.gloo.solo.io.BasicAuth
"oauth": .enterprise.gloo.solo.io.OAuth
"oauth2": .enterprise.gloo.solo.io.OAuth2
"apiKeyAuth": .enterprise.gloo.solo.io.ApiKeyAuth
"pluginAuth": .enterprise.gloo.solo.io.AuthPlugin
"opaAuth": .enterprise.gloo.solo.io.OpaAuth
"ldap": .enterprise.gloo.solo.io.Ldap
"jwt": .google.protobuf.Empty
"passThroughAuth": .enterprise.gloo.solo.io.PassThroughAuth

Field Type Description
name .google.protobuf.StringValue optional: used when defining complex boolean logic, if boolean_expr is defined below. Also used in logging. If omitted, an automatically generated name will be used (e.g. config_0, of the pattern ‘config_$INDEX_IN_CHAIN’). In the case of plugin auth, this field is ignored in favor of the name assigned on the plugin config itself.
basicAuth .enterprise.gloo.solo.io.BasicAuth Only one of basicAuth, oauth, oauth2, apiKeyAuth, pluginAuth, opaAuth, ldap, jwt, or passThroughAuth can be set.
oauth .enterprise.gloo.solo.io.OAuth Only one of oauth, basicAuth, oauth2, apiKeyAuth, pluginAuth, opaAuth, ldap, jwt, or passThroughAuth can be set.
oauth2 .enterprise.gloo.solo.io.OAuth2 Only one of oauth2, basicAuth, oauth, apiKeyAuth, pluginAuth, opaAuth, ldap, jwt, or passThroughAuth can be set.
apiKeyAuth .enterprise.gloo.solo.io.ApiKeyAuth Only one of apiKeyAuth, basicAuth, oauth, oauth2, pluginAuth, opaAuth, ldap, jwt, or passThroughAuth can be set.
pluginAuth .enterprise.gloo.solo.io.AuthPlugin Only one of pluginAuth, basicAuth, oauth, oauth2, apiKeyAuth, opaAuth, ldap, jwt, or passThroughAuth can be set.
opaAuth .enterprise.gloo.solo.io.OpaAuth Only one of opaAuth, basicAuth, oauth, oauth2, apiKeyAuth, pluginAuth, ldap, jwt, or passThroughAuth can be set.
ldap .enterprise.gloo.solo.io.Ldap Only one of ldap, basicAuth, oauth, oauth2, apiKeyAuth, pluginAuth, opaAuth, jwt, or passThroughAuth can be set.
jwt .google.protobuf.Empty This is a “dummy” extauth service which can be used to support multiple auth mechanisms with JWT authentication. If Jwt authentication is to be used in the boolean expression in an AuthConfig, you can use this auth config type to include Jwt as an Auth config. In addition, allow_missing_or_failed_jwt must be set on the Virtual Host or Route that uses JWT auth or else the JWT filter will short circuit this behaviour. Only one of jwt, basicAuth, oauth, oauth2, apiKeyAuth, pluginAuth, opaAuth, ldap, or passThroughAuth can be set.
passThroughAuth .enterprise.gloo.solo.io.PassThroughAuth Only one of passThroughAuth, basicAuth, oauth, oauth2, apiKeyAuth, pluginAuth, opaAuth, ldap, or jwt can be set.

ExtAuthExtension

Auth configurations defined on virtual hosts, routes, and weighted destinations will be unmarshalled to this message.

"disable": bool
"configRef": .core.solo.io.ResourceRef
"customAuth": .enterprise.gloo.solo.io.CustomAuth

Field Type Description
disable bool Set to true to disable auth on the virtual host/route. Only one of disable, configRef, or customAuth can be set.
configRef .core.solo.io.ResourceRef A reference to an AuthConfig. This is used to configure the Gloo Edge Enterprise extauth server. Only one of configRef, disable, or customAuth can be set.
customAuth .enterprise.gloo.solo.io.CustomAuth Use this field if you are running your own custom extauth server. Only one of customAuth, disable, or configRef can be set.

Settings

Global external auth settings

"extauthzServerRef": .core.solo.io.ResourceRef
"httpService": .enterprise.gloo.solo.io.HttpService
"userIdHeader": string
"requestTimeout": .google.protobuf.Duration
"failureModeAllow": bool
"requestBody": .enterprise.gloo.solo.io.BufferSettings
"clearRouteCache": bool
"statusOnError": int
"transportApiVersion": .enterprise.gloo.solo.io.Settings.ApiVersion
"statPrefix": string

Field Type Description
extauthzServerRef .core.solo.io.ResourceRef The upstream to ask about auth decisions.
httpService .enterprise.gloo.solo.io.HttpService If this is set, communication to the upstream will be via HTTP and not GRPC.
userIdHeader string If the auth server trusted id of the user, it will be set in this header. Specifically this means that this header will be sanitized form the incoming request.
requestTimeout .google.protobuf.Duration Timeout for the ext auth service to respond. Defaults to 200ms.
failureModeAllow bool In case of a failure or timeout querying the auth server, normally a request is denied. if this is set to true, the request will be allowed.
requestBody .enterprise.gloo.solo.io.BufferSettings Set this if you also want to send the body of the request, and not just the headers.
clearRouteCache bool Clears route cache in order to allow the external authorization service to correctly affect routing decisions. Filter clears all cached routes when: 1. The field is set to true. 2. The status returned from the authorization service is a HTTP 200 or gRPC 0. 3. At least one authorization response header is added to the client request, or is used for altering another client request header.
statusOnError int Sets the HTTP status that is returned to the client when there is a network error between the filter and the authorization server. The default status is HTTP 403 Forbidden. If set, this must be one of the following: - 100 - 200 201 202 203 204 205 206 207 208 226 - 300 301 302 303 304 305 307 308 - 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 421 422 423 424 426 428 429 431 - 500 501 502 503 504 505 506 507 508 510 511.
transportApiVersion .enterprise.gloo.solo.io.Settings.ApiVersion Determines the API version for the ext_authz transport protocol that will be used by Envoy to communicate with the auth server. Defaults to V2. For more info, see the transport_api_version field here.
statPrefix string Optional additional prefix to use when emitting statistics. This allows to distinguish emitted statistics between configured ext_authz filters in an HTTP filter chain.

ApiVersion

Describes the transport protocol version to use when connecting to the ext auth server.

Name Description
V3 Use v3 API.

HttpService

"pathPrefix": string
"request": .enterprise.gloo.solo.io.HttpService.Request
"response": .enterprise.gloo.solo.io.HttpService.Response

Field Type Description
pathPrefix string Sets a prefix to the value of authorization request header Path.
request .enterprise.gloo.solo.io.HttpService.Request
response .enterprise.gloo.solo.io.HttpService.Response

Request

"allowedHeaders": []string
"headersToAdd": map<string, string>
"allowedHeadersRegex": []string

Field Type Description
allowedHeaders []string These headers will be copied from the incoming request to the request going to the auth server. Note that in addition to the user’s supplied matchers: 1. Host, Method, Path and Content-Length are automatically included to the list. 2. Content-Length will be set to 0 and the request to the authorization service will not have a message body.
headersToAdd map<string, string> These headers that will be included to the request to authorization service. Note that client request of the same key will be overridden.
allowedHeadersRegex []string Headers that match these regex patterns will be copied from the incoming request to the request going to the auth server.

Response

"allowedUpstreamHeaders": []string
"allowedClientHeaders": []string

Field Type Description
allowedUpstreamHeaders []string When this is set, authorization response headers that have a header in this list will be added to the original client request and sent to the upstream. Note that coexistent headers will be overridden.
allowedClientHeaders []string When this is set, authorization response headers in this list will be added to the client’s response when the auth request is denied. Note that when this list is not set, all the authorization response headers, except Authority (Host) will be in the response to the client. When a header is included in this list, Path, Status, Content-Length, WWW-Authenticate and Location are automatically added.

BufferSettings

Configuration for buffering the request data.

"maxRequestBytes": int
"allowPartialMessage": bool
"packAsBytes": bool

Field Type Description
maxRequestBytes int Sets the maximum size of a message body that the filter will hold in memory. Envoy will return HTTP 413 and will not initiate the authorization process when buffer reaches the number set in this field. Note that this setting will have precedence over failure_mode_allow. Defaults to 4KB.
allowPartialMessage bool When this field is true, Envoy will buffer the message until max_request_bytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
packAsBytes bool When this field is true, Envoy will send the body sent to the external authorization service with raw bytes.

CustomAuth

Gloo is not expected to configure the ext auth server in this case. This is used with custom auth servers.

"contextExtensions": map<string, string>
"name": string

Field Type Description
contextExtensions map<string, string> When a request matches the virtual host, route, or weighted destination on which this configuration is defined, Gloo will add the given context_extensions to the request that is sent to the external authorization server. This allows the server to base the auth decision on metadata that you define on the source of the request. This attribute is analogous to Envoy’s config.filter.http.ext_authz.v2.CheckSettings. See the official Envoy documentation for more details.
name string [Enterprise-only] Only required in the case where multiple auth servers are configured in Settings This name must match a key in the named_extauth Settings.

AuthPlugin

"name": string
"pluginFileName": string
"exportedSymbolName": string
"config": .google.protobuf.Struct

Field Type Description
name string Name of the plugin.
pluginFileName string Name of the compiled plugin file. If not specified, Gloo Edge will look for an “.so” file with same name as the plugin.
exportedSymbolName string Name of the exported symbol that implements the plugin interface in the plugin. If not specified, defaults to the name of the plugin.
config .google.protobuf.Struct

BasicAuth

"realm": string
"apr": .enterprise.gloo.solo.io.BasicAuth.Apr

Field Type Description
realm string
apr .enterprise.gloo.solo.io.BasicAuth.Apr

Apr

"users": map<string, .enterprise.gloo.solo.io.BasicAuth.Apr.SaltedHashedPassword>

Field Type Description
users map<string, .enterprise.gloo.solo.io.BasicAuth.Apr.SaltedHashedPassword>

SaltedHashedPassword

"salt": string
"hashedPassword": string

Field Type Description
salt string
hashedPassword string

OAuth

Deprecated: Prefer OAuth2

"clientId": string
"clientSecretRef": .core.solo.io.ResourceRef
"issuerUrl": string
"authEndpointQueryParams": map<string, string>
"appUrl": string
"callbackPath": string
"scopes": []string

Field Type Description
clientId string your client id as registered with the issuer.
clientSecretRef .core.solo.io.ResourceRef your client secret as registered with the issuer.
issuerUrl string The url of the issuer. We will look for OIDC information in issuerUrl+ “.well-known/openid-configuration”.
authEndpointQueryParams map<string, string> extra query parameters to apply to the Ext-Auth service’s authorization request to the identity provider.
appUrl string we to redirect after successful auth, if we can’t determine the original url this should be your publicly available app url.
callbackPath string a callback path relative to app url that will be used for OIDC callbacks. needs to not be used by the application.
scopes []string Scopes to request in addition to openid scope.

OAuth2

"oidcAuthorizationCode": .enterprise.gloo.solo.io.OidcAuthorizationCode
"accessTokenValidation": .enterprise.gloo.solo.io.AccessTokenValidation

Field Type Description
oidcAuthorizationCode .enterprise.gloo.solo.io.OidcAuthorizationCode provide issuer location and let gloo handle OIDC flow for you. requests authorized by validating the contents of ID token. can also authorize the access token if configured. Only one of oidcAuthorizationCode or accessTokenValidation can be set.
accessTokenValidation .enterprise.gloo.solo.io.AccessTokenValidation provide the access token on the request and let gloo handle authorization. according to https://tools.ietf.org/html/rfc6750 you can pass tokens through: - form-encoded body parameter. recommended, more likely to appear. e.g.: Authorization: Bearer mytoken123 - URI query parameter e.g. access_token=mytoken123 - and (preferably) secure cookies. Only one of accessTokenValidation or oidcAuthorizationCode can be set.

RedisOptions

"host": string
"db": int
"poolSize": int

Field Type Description
host string address of the redis. can be address:port or unix://path/to/unix.sock.
db int db to use. can leave unset for db 0.
poolSize int size of the connection pool. can leave unset for default. defaults to 10 connections per every CPU.

UserSession

"failOnFetchFailure": bool
"cookieOptions": .enterprise.gloo.solo.io.UserSession.CookieOptions
"cookie": .enterprise.gloo.solo.io.UserSession.InternalSession
"redis": .enterprise.gloo.solo.io.UserSession.RedisSession

Field Type Description
failOnFetchFailure bool should we fail auth flow when failing to get a session from redis, or allow it to continue, potentially starting a new auth flow and setting a new session.
cookieOptions .enterprise.gloo.solo.io.UserSession.CookieOptions Set-Cookie options.
cookie .enterprise.gloo.solo.io.UserSession.InternalSession Set the tokens in the cookie itself. No need for server side state. Only one of cookie or redis can be set.
redis .enterprise.gloo.solo.io.UserSession.RedisSession Use redis to store the tokens and just store a random id in the cookie. Only one of redis or cookie can be set.

InternalSession


Field Type Description

RedisSession

"options": .enterprise.gloo.solo.io.RedisOptions
"keyPrefix": string
"cookieName": string
"allowRefreshing": .google.protobuf.BoolValue

Field Type Description
options .enterprise.gloo.solo.io.RedisOptions Options to connect to redis.
keyPrefix string Key prefix inside redis.
cookieName string Cookie name to set and store the session id. If empty the default “__session” is used.
allowRefreshing .google.protobuf.BoolValue When set, refresh expired id-tokens using the refresh-token. Defaults to true. Explicitly set to false to disable refreshing.

CookieOptions

"maxAge": .google.protobuf.UInt32Value
"notSecure": bool
"path": .google.protobuf.StringValue
"domain": string

Field Type Description
maxAge .google.protobuf.UInt32Value Max age for the cookie. Leave unset for a default of 30 days (2592000 seconds). To disable cookie expiry, set explicitly to 0.
notSecure bool Use a non-secure cookie. Note - this should only be used for testing and in trusted environments.
path .google.protobuf.StringValue Path of the cookie. If unset, defaults to “/". Set it explicitly to "” to avoid setting a path.
domain string Cookie domain.

HeaderConfiguration

"idTokenHeader": string
"accessTokenHeader": string

Field Type Description
idTokenHeader string If set, the id token will be forward upstream using this header name.
accessTokenHeader string If set, the access token will be forward upstream using this header name.

DiscoveryOverride

OIDC configuration is discovered at /.well-known/openid-configuration The discovery override defines any properties that should override this discovery configuration https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

"authEndpoint": string
"tokenEndpoint": string
"jwksUri": string
"scopes": []string
"responseTypes": []string
"subjects": []string
"idTokenAlgs": []string
"authMethods": []string
"claims": []string

Field Type Description
authEndpoint string url of the provider authorization endpoint.
tokenEndpoint string url of the provider token endpoint.
jwksUri string url of the provider json web key set.
scopes []string list of scope values that the provider supports.
responseTypes []string list of response types that the provider supports.
subjects []string list of subject identifier types that the provider supports.
idTokenAlgs []string list of json web signature signing algorithms that the provider supports for encoding claims in a jwt.
authMethods []string list of client authentication methods supported by the provider token endpoint.
claims []string list of claim types that the provider supports.

JwksOnDemandCacheRefreshPolicy

The json web key set (JWKS) (https://tools.ietf.org/html/rfc7517) is discovered at an interval from a remote source. When keys rotate in the remote source, there may be a delay in the local source picking up those new keys. Therefore, a user could execute a request with a token that has been signed by a key in the remote JWKS, but the local cache doesn’t have the key yet. The request would fail because the key isn’t contained in the local set. Since most IdPs publish key keys in their remote JWKS before they are used, this is not an issue most of the time. This policy lets you define the behavior for when a user has a token with a key not yet in the local cache.

"never": .google.protobuf.Empty
"always": .google.protobuf.Empty
"maxIdpReqPerPollingInterval": int

Field Type Description
never .google.protobuf.Empty Never refresh the local JWKS cache on demand. If a key is not in the cache, it is assumed to be malicious. This is the default policy since we assume that IdPs publish keys before they rotate them, and frequent polling finds the newest keys. Only one of never, always, or maxIdpReqPerPollingInterval can be set.
always .google.protobuf.Empty If a key is not in the cache, fetch the most recent keys from the IdP and update the cache. NOTE: This should only be done in trusted environments, since missing keys will each trigger a request to the IdP. Using this in an environment exposed to the internet will allow malicious agents to execute a DDoS attack by spamming protected endpoints with tokens signed by invalid keys. Only one of always, never, or maxIdpReqPerPollingInterval can be set.
maxIdpReqPerPollingInterval int If a key is not in the cache, fetch the most recent keys from the IdP and update the cache. This value sets the number of requests to the IdP per polling interval. If that limit is exceeded, we will stop fetching from the IdP for the remainder of the polling interval. Only one of maxIdpReqPerPollingInterval, never, or always can be set.

OidcAuthorizationCode

"clientId": string
"clientSecretRef": .core.solo.io.ResourceRef
"issuerUrl": string
"authEndpointQueryParams": map<string, string>
"tokenEndpointQueryParams": map<string, string>
"appUrl": string
"callbackPath": string
"logoutPath": string
"afterLogoutUrl": string
"scopes": []string
"session": .enterprise.gloo.solo.io.UserSession
"headers": .enterprise.gloo.solo.io.HeaderConfiguration
"discoveryOverride": .enterprise.gloo.solo.io.DiscoveryOverride
"discoveryPollInterval": .google.protobuf.Duration
"jwksCacheRefreshPolicy": .enterprise.gloo.solo.io.JwksOnDemandCacheRefreshPolicy
"sessionIdHeaderName": string

Field Type Description
clientId string your client id as registered with the issuer.
clientSecretRef .core.solo.io.ResourceRef your client secret as registered with the issuer.
issuerUrl string The url of the issuer. We will look for OIDC information in issuerUrl+ “.well-known/openid-configuration”.
authEndpointQueryParams map<string, string> extra query parameters to apply to the Ext-Auth service’s authorization request to the identity provider. this can be useful for flows such as PKCE (https://www.oauth.com/oauth2-servers/pkce/authorization-request/) to set the code_challenge and code_challenge_method.
tokenEndpointQueryParams map<string, string> extra query parameters to apply to the Ext-Auth service’s token request to the identity provider. this can be useful for flows such as PKCE (https://www.oauth.com/oauth2-servers/pkce/authorization-request/) to set the code_verifier.
appUrl string where to redirect after successful auth, if we can’t determine the original url. this should be your publicly available app url.
callbackPath string a callback path relative to app url that will be used for OIDC callbacks. should not be used by the application.
logoutPath string a path relative to app url that will be used for logging out from an OIDC session. should not be used by the application. If not provided, logout functionality will be disabled.
afterLogoutUrl string url to redirect to after logout. This should be a publicly available URL. If not provided, will default to the app_url.
scopes []string Scopes to request in addition to openid scope.
session .enterprise.gloo.solo.io.UserSession Configuration related to the user session.
headers .enterprise.gloo.solo.io.HeaderConfiguration Configures headers added to requests.
discoveryOverride .enterprise.gloo.solo.io.DiscoveryOverride OIDC configuration is discovered at /.well-known/openid-configuration The discovery override defines any properties that should override this discovery configuration For example, the following AuthConfig CRD could be defined as: yaml apiVersion: enterprise.gloo.solo.io/v1 kind: AuthConfig metadata: name: google-oidc namespace: gloo-system spec: configs: - oauth: app_url: http://localhost:8080 callback_path: /callback client_id: $CLIENT_ID client_secret_ref: name: google namespace: gloo-system issuer_url: https://accounts.google.com discovery_override: token_endpoint: "https://token.url/gettoken" And this will ensure that regardless of what value is discovered at /.well-known/openid-configuration, “https://token.url/gettoken" will be used as the token endpoint.
discoveryPollInterval .google.protobuf.Duration The interval at which OIDC configuration is discovered at /.well-known/openid-configuration If not specified, the default value is 30 minutes.
jwksCacheRefreshPolicy .enterprise.gloo.solo.io.JwksOnDemandCacheRefreshPolicy If a user executes a request with a key that is not found in the JWKS, it could be that the keys have rotated on the remote source, and not yet in the local cache. This policy lets you define the behavior for how to refresh the local cache during a request where an invalid key is provided.
sessionIdHeaderName string If set, the randomly generated session id will be sent to the token endpoint as part of the code exchange The session id is used as the key for sessions in Redis.

AccessTokenValidation

"introspectionUrl": string
"jwt": .enterprise.gloo.solo.io.AccessTokenValidation.JwtValidation
"introspection": .enterprise.gloo.solo.io.AccessTokenValidation.IntrospectionValidation
"userinfoUrl": string
"cacheTimeout": .google.protobuf.Duration
"requiredScopes": .enterprise.gloo.solo.io.AccessTokenValidation.ScopeList

Field Type Description
introspectionUrl string The URL for the OAuth2.0 Token Introspection endpoint. If provided, the (opaque) access token provided or received from the oauth authorization endpoint will be validated against this endpoint, or locally cached responses for this access token. This field is deprecated as it does not support authenticated introspection requests. Only one of introspectionUrl, jwt, or introspection can be set.
jwt .enterprise.gloo.solo.io.AccessTokenValidation.JwtValidation Validate access tokens that conform to the JSON Web Token (JWT) specification. Only one of jwt, introspectionUrl, or introspection can be set.
introspection .enterprise.gloo.solo.io.AccessTokenValidation.IntrospectionValidation Defines how (opaque) access tokens, received from the oauth authorization endpoint, are validated OAuth2.0 Token Introspection specification. Only one of introspection, introspectionUrl, or jwt can be set.
userinfoUrl string The URL for the OIDC userinfo endpoint. If provided, the (opaque) access token provided or received from the oauth endpoint will be queried and the userinfo response (or cached response) will be added to the AuthorizationRequest state under the “introspection” key. This can be useful to leverage the userinfo response in, for example, an external auth server plugin.
cacheTimeout .google.protobuf.Duration How long the token introspection and userinfo endpoint response for a specific access token should be kept in the in-memory cache. The result will be invalidated at this timeout, or at “exp” time from the introspection result, whichever comes sooner. If omitted, defaults to 10 minutes. If zero, then no caching will be done.
requiredScopes .enterprise.gloo.solo.io.AccessTokenValidation.ScopeList Require access token to have all of the scopes in the given list. This configuration applies to both opaque and JWT tokens. In the case of opaque tokens, this will check the scopes returned in the “scope” member of introspection response (as described in Section 2.2 of RFC7662. In case of JWTs the scopes to be validated are expected to be contained in the “scope” claim of the token in the form of a space-separated string. Omitting this field means that scope validation will be skipped.

JwtValidation

Defines how JSON Web Token (JWT) access tokens are validated.

Tokens are validated using a JSON Web Key Set (as defined in Section 5 of RFC7517), which can be either inlined in the configuration or fetched from a remote location via HTTP. Any keys in the JWKS that are not intended for signature verification (i.e. whose “use” parameter is not “sig”) will be ignored by the system, as will keys that do not specify a “kid” (Key ID) parameter.

The JWT to be validated must define non-empty “kid” and “alg” headers. The “kid” header determines which key in the JWKS will be used to verify the signature of the token; if no matching key is found, the token will be rejected.

If present, the server will verify the “exp”, “iat”, and “nbf” standard JWT claims. Validation of the “iss” claim and of token scopes can be configured as well. If the JWT has been successfully validated, its set of claims will be added to the AuthorizationRequest state under the “jwtAccessToken” key.

"remoteJwks": .enterprise.gloo.solo.io.AccessTokenValidation.JwtValidation.RemoteJwks
"localJwks": .enterprise.gloo.solo.io.AccessTokenValidation.JwtValidation.LocalJwks
"issuer": string

Field Type Description
remoteJwks .enterprise.gloo.solo.io.AccessTokenValidation.JwtValidation.RemoteJwks Fetches the JWKS from a remote location. Only one of remoteJwks or localJwks can be set.
localJwks .enterprise.gloo.solo.io.AccessTokenValidation.JwtValidation.LocalJwks Loads the JWKS from a local data source. Only one of localJwks or remoteJwks can be set.
issuer string Allow only tokens that have been issued by this principal (i.e. whose “iss” claim matches this value). If empty, issuer validation will be skipped.

RemoteJwks

Specifies how to fetch JWKS from remote and how to cache it.

"url": string
"refreshInterval": .google.protobuf.Duration

Field Type Description
url string The HTTP URI to fetch the JWKS.
refreshInterval .google.protobuf.Duration The frequency at which the JWKS should be refreshed. If not specified, the default value is 5 minutes.

LocalJwks

Represents a locally available JWKS.

"inlineString": string

Field Type Description
inlineString string JWKS is embedded as a string.

IntrospectionValidation

Defines how (opaque) access tokens, received from the oauth authorization endpoint, are validated OAuth2.0 Token Introspection

If the token introspection url requires client authentication, both the client_id and client_secret are required. If only one is provided, the config will be rejected. These values will be encoded in a basic auth header in order to authenticate the client.

"introspectionUrl": string
"clientId": string
"clientSecretRef": .core.solo.io.ResourceRef
"userIdAttributeName": string

Field Type Description
introspectionUrl string The URL for the OAuth2.0 Token Introspection endpoint. If provided, the (opaque) access token provided or received from the oauth authorization endpoint will be validated against this endpoint, or locally cached responses for this access token.
clientId string Your client id as registered with the issuer. Optional: Use if the token introspection url requires client authentication.
clientSecretRef .core.solo.io.ResourceRef Your client secret as registered with the issuer. Optional: Use if the token introspection url requires client authentication.
userIdAttributeName string The name of the introspection response attribute that contains the ID of the resource owner (e.g. sub, username). If specified, the external auth server will use the value of the attribute as the identifier of the authenticated user and add it to the request headers and/or dynamic metadata (depending on how the server is configured); if the field is set and the attribute cannot be found, the request will be denied. This field is optional and by default the server will not try to derive the user ID.

ScopeList

"scope": []string

Field Type Description
scope []string

OauthSecret

"clientSecret": string

Field Type Description
clientSecret string

ApiKeyAuth

"labelSelector": map<string, string>
"apiKeySecretRefs": []core.solo.io.ResourceRef
"headerName": string
"headersFromMetadata": map<string, .enterprise.gloo.solo.io.ApiKeyAuth.SecretKey>

Field Type Description
labelSelector map<string, string> Identify all valid API key secrets that match the provided label selector.
API key secrets must be in one of the watch namespaces for gloo to locate them.
apiKeySecretRefs []core.solo.io.ResourceRef A way to directly reference API key secrets. This configuration can be useful for testing, but in general the more flexible label selector should be preferred.
headerName string When receiving a request, the Gloo Edge Enterprise external auth server will look for an API key in a header with this name. This field is optional; if not provided it defaults to api-key.
headersFromMetadata map<string, .enterprise.gloo.solo.io.ApiKeyAuth.SecretKey> API key secrets might contain additional data (e.g. the ID of the user that the API key belongs to) in the form of extra keys included in the secret’s data field. This configuration can be used to add this data to the headers of successfully authenticated requests. Each key in the map represents the name of header to be added; the corresponding value determines the key in the secret data that will be inspected to determine the value for the header.

SecretKey

"name": string
"required": bool

Field Type Description
name string (Required) The key of the secret data entry to inspect.
required bool If this field is set to true, Gloo will reject an API key secret that does not contain the given key. Defaults to false. In this case, if a secret does not contain the requested data, no header will be added to the request.

ApiKeySecret

"generateApiKey": bool
"apiKey": string
"labels": []string
"metadata": map<string, string>

Field Type Description
generateApiKey bool If true, generate an API key. This field is deprecated as it was used only internally by glooctl and is not actually part of the secret API.
apiKey string The value of the API key.
labels []string A list of labels (key=value) for the apikey secret.
These labels are used when creating an ApiKeySecret via glooctl and then are copied to the metadata of the created secret. This field is deprecated as it was used only internally by glooctl and is not actually part of the secret API.
metadata map<string, string> If the secret data contains entries in addition to the API key one, they will be copied to this field.

OpaAuth

"modules": []core.solo.io.ResourceRef
"query": string
"options": .enterprise.gloo.solo.io.OpaAuthOptions

Field Type Description
modules []core.solo.io.ResourceRef An optional resource reference to config maps containing modules to assist in the resolution of query.
query string The query that determines the auth decision. The result of this query must be either a boolean or an array with boolean as the first element. A boolean true value means that the request will be authorized. Any other value, or error, means that the request will be denied.
options .enterprise.gloo.solo.io.OpaAuthOptions Additional Options for Opa Auth configuration.

OpaAuthOptions

"fastInputConversion": bool

Field Type Description
fastInputConversion bool Decreases OPA latency by speeding up conversion of input to the OPA engine. If this is set to true, only http_request and state fields which are a scalar, map, or string array are included in the request input. All other fields are dropped. Dropped fields will not be evaluated by the OPA engine. By default, this is set to false and all fields are evaluated by OPA.

Ldap

Authenticates and authorizes requests by querying an LDAP server. Gloo makes the following assumptions:

"address": string
"userDnTemplate": string
"membershipAttributeName": string
"allowedGroups": []string
"pool": .enterprise.gloo.solo.io.Ldap.ConnectionPool

Field Type Description
address string Address of the LDAP server to query. Should be in the form ADDRESS:PORT, e.g. ldap.default.svc.cluster.local:389.
userDnTemplate string Template to build user entry distinguished names (DN). This must contains a single occurrence of the “%s” placeholder. When processing a request, Gloo will substitute the name of the user (extracted from the auth header) for the placeholder and issue a search request with the resulting DN as baseDN (and ‘base’ search scope). E.g. “uid=%s,ou=people,dc=solo,dc=io”.
membershipAttributeName string Case-insensitive name of the attribute that contains the names of the groups an entry is member of. Gloo will look for attributes with the given name to determine which groups the user entry belongs to. Defaults to ‘memberOf’ if not provided.
allowedGroups []string In order for the request to be authenticated, the membership attribute (e.g. memberOf) on the user entry must contain at least of one of the group DNs specified via this option. E.g. []string{ “cn=managers,ou=groups,dc=solo,dc=io”, “cn=developers,ou=groups,dc=solo,dc=io” }.
pool .enterprise.gloo.solo.io.Ldap.ConnectionPool Use this property to tune the pool of connections to the LDAP server that Gloo maintains.

ConnectionPool

Configuration properties for pooling connections to the LDAP server. If the pool is exhausted when a connection is requested (meaning that all the polled connections are in use), the connection will be created on the fly.

"maxSize": .google.protobuf.UInt32Value
"initialSize": .google.protobuf.UInt32Value

Field Type Description
maxSize .google.protobuf.UInt32Value Maximum number connections that are pooled at any give time. The default value is 5.
initialSize .google.protobuf.UInt32Value Number of connections that the pool will be pre-populated with upon initialization. The default value is 2.

PassThroughAuth

Authorizes requests by querying a custom extauth server.

"grpc": .enterprise.gloo.solo.io.PassThroughGrpc
"http": .enterprise.gloo.solo.io.PassThroughHttp
"config": .google.protobuf.Struct

Field Type Description
grpc .enterprise.gloo.solo.io.PassThroughGrpc Only one of grpc or http can be set.
http .enterprise.gloo.solo.io.PassThroughHttp Only one of http or grpc can be set.
config .google.protobuf.Struct Custom config to be passed per request to the passthrough auth service.

PassThroughGrpc

Authorizes requests by querying a custom extauth grpc server Assumes that the server implements the envoy external authorization spec: https://github.com/envoyproxy/envoy/blob/ae1ed1fa74f096dabe8dd5b19fc70333621b0309/api/envoy/service/auth/v3/external_auth.proto#L29

"address": string
"connectionTimeout": .google.protobuf.Duration

Field Type Description
address string Address of the auth server to query. Should be in the form ADDRESS:PORT, e.g. default.svc.cluster.local:389.
connectionTimeout .google.protobuf.Duration Timeout for the auth server to respond. Defaults to 5s.

PassThroughHttp

Authorizes requests by making a POST HTTP/1 request to a custom HTTP auth server Assumes the request is authorized if the server returns a OK (200) status code, else the request is unauthorized.

"url": string
"request": .enterprise.gloo.solo.io.PassThroughHttp.Request
"response": .enterprise.gloo.solo.io.PassThroughHttp.Response
"connectionTimeout": .google.protobuf.Duration

Field Type Description
url string Required: URL of the passthrough http service, is a fully qualified domain name. Example: http://ext-auth-service.svc.local:9001. Path provided in the URL will be respected. To use https, provide the cert in the HTTPS_PASSTHROUGH_CA_CERT environment variable to the ext-auth-service pod as a base64-encoded string.
request .enterprise.gloo.solo.io.PassThroughHttp.Request
response .enterprise.gloo.solo.io.PassThroughHttp.Response
connectionTimeout .google.protobuf.Duration Timeout for the auth server to respond. Defaults to 5s.

Request

The passthrough http request can be configured to pass through the incoming request body, the ext-auth state (which is shared between different auth methods within one ext-auth instance), and the filterMetadata The body of the passthrough auth request will be a JSON as follows: { “body” : string, “state”: object (map[string]interface{}), “filterMetadata”: object (map[string]protobuf.Struct), “config”: object (protobuf.Struct), } config is the struct block specified under the passthrough auth configuration. If passthrough_body, passthrough_state, passthrough_filter_metadata, and config are all false/nil, the body of the auth request will remain empty. Setting any of these will increase latency slightly due to JSON marshalling.

"allowedHeaders": []string
"headersToAdd": map<string, string>
"passThroughState": bool
"passThroughFilterMetadata": bool
"passThroughBody": bool

Field Type Description
allowedHeaders []string These headers will be copied from the incoming request to the request going to the auth server. By default, no headers are copied from the incoming request. Pseudo-headers such as :Path, and :Method can not be specified here.
headersToAdd map<string, string> These headers that will be included to the request to authorization service. Note that client request of the same key will be overridden. Pseudo-headers such as :Path, and :Method can not be specified here.
passThroughState bool Whether or not to include the ext-auth state object in the passthrough request body. If this is set to true, it is expected that the state is returned in the HTTP response from the passthrough service. The state received from the response will be the state that is shared with other ext-auth service methods. If pass_through_body, pass_through_filter_metadata and pass_through_state are false, the authorization request body will be empty. A non-empty body will increase latency times slightly, so this is set to false by default, and should only be set to to true if the extauth state is needed in the auth request.
passThroughFilterMetadata bool Whether or not to include the filter metadata in the passthrough request body. If pass_through_body, pass_through_filter_metadata and pass_through_state are false, the authorization request body will be empty. A non-empty body will increase latency times slightly, so this is set to false by default, and should only be set to to true if the filter metadata is needed in the auth request.
passThroughBody bool Whether or not to include the body in the passthrough request body. In order for this to work, the settings.extauth.requestBody must be set in the Gloo Edge Settings CRD so that the request body is buffered and sent to the ext-auth service. If pass_through_body, pass_through_filter_metadata and pass_through_state are false, the authorization request body will be empty. A non-empty body will increase latency times slightly, so this is set to false by default, and should only be set to to true if the request body is needed in the auth request.

Response

"allowedUpstreamHeaders": []string
"allowedClientHeadersOnDenied": []string
"readStateFromResponse": bool

Field Type Description
allowedUpstreamHeaders []string When this is set, authorization response headers that have a header in this list will be added to the original client request and sent to the upstream when the auth request is successful. These will be appended to any request headers that already exist. If this is empty, by default, no authorization response headers will be added to the upstream request.
allowedClientHeadersOnDenied []string When this is set, authorization response headers in this list will be added to the client’s response when the auth request is denied. If the response header already exists, it will replace the response header. If this is empty, by default, no authorization response headers will be added to the client response.
readStateFromResponse bool If this is set to true, the body of the response from the http passthrough auth server is expected to have shape { “state”: object (map[string]interface{}) } The state will be marshalled from the response body and this is the state that will be passed on to other auth configs. Because of the marshalling from JSON to Go map, this will add some latency to the request. If the marshalling fails, the authorization check will fail and the request will be unauthorized after the ext-auth-service pod logs the marshal error.

ExtAuthConfig

"authConfigRefName": string
"configs": []enterprise.gloo.solo.io.ExtAuthConfig.Config
"booleanExpr": .google.protobuf.StringValue

Field Type Description
authConfigRefName string
configs []enterprise.gloo.solo.io.ExtAuthConfig.Config List of auth configs to be checked for requests on a route referencing this auth config, By default, every config must be authorized for the entire request to be authorized. This behavior can be changed by defining names for each config and defining boolean_expr below. State is shared between successful requests on the chain, i.e., the headers returned from each successful auth service get appended into the final auth response.
booleanExpr .google.protobuf.StringValue How to handle processing of named configs within an auth config chain. An example config might be: ( basic1 || basic2 || (oidc1 && !oidc2) ) The boolean expression is evaluated left to right but honors parenthesis and short-circuiting.

OAuthConfig

Deprecated, prefer OAuth2Config

"clientId": string
"clientSecret": string
"issuerUrl": string
"authEndpointQueryParams": map<string, string>
"appUrl": string
"callbackPath": string
"scopes": []string

Field Type Description
clientId string your client id as registered with the issuer.
clientSecret string your client secret as registered with the issuer.
issuerUrl string The url of the issuer. We will look for OIDC information in issuerUrl+ “.well-known/openid-configuration”.
authEndpointQueryParams map<string, string> extra query parameters to apply to the Ext-Auth service’s authorization request to the identity provider.
appUrl string we to redirect after successful auth, if we can’t determine the original url this should be your publicly available app url.
callbackPath string a callback path relative to app url that will be used for OIDC callbacks. needs to not be used by the application.
scopes []string scopes to request in addition to the openid scope.

OidcAuthorizationCodeConfig

"clientId": string
"clientSecret": string
"issuerUrl": string
"authEndpointQueryParams": map<string, string>
"tokenEndpointQueryParams": map<string, string>
"appUrl": string
"callbackPath": string
"logoutPath": string
"afterLogoutUrl": string
"scopes": []string
"session": .enterprise.gloo.solo.io.UserSession
"headers": .enterprise.gloo.solo.io.HeaderConfiguration
"discoveryOverride": .enterprise.gloo.solo.io.DiscoveryOverride
"discoveryPollInterval": .google.protobuf.Duration
"jwksCacheRefreshPolicy": .enterprise.gloo.solo.io.JwksOnDemandCacheRefreshPolicy
"sessionIdHeaderName": string

Field Type Description
clientId string your client id as registered with the issuer.
clientSecret string your client secret as registered with the issuer.
issuerUrl string The url of the issuer. We will look for OIDC information in issuerUrl+ “.well-known/openid-configuration”.
authEndpointQueryParams map<string, string> extra query parameters to apply to the Ext-Auth service’s authorization request to the identity provider. this can be useful for flows such as PKCE (https://www.oauth.com/oauth2-servers/pkce/authorization-request/) to set the code_challenge and code_challenge_method.
tokenEndpointQueryParams map<string, string> extra query parameters to apply to the Ext-Auth service’s token request to the identity provider. this can be useful for flows such as PKCE (https://www.oauth.com/oauth2-servers/pkce/authorization-request/) to set the code_verifier.
appUrl string we to redirect after successful auth, if we can’t determine the original url this should be your publicly available app url.
callbackPath string a callback path relative to app url that will be used for OIDC callbacks. needs to not be used by the application.
logoutPath string a path relative to app url that will be used for logging out from an OIDC session. should not be used by the application. If not provided, logout functionality will be disabled.
afterLogoutUrl string url to redirect to after logout. This should be a publicly available URL. If not provided, will default to the app_url.
scopes []string scopes to request in addition to the openid scope.
session .enterprise.gloo.solo.io.UserSession
headers .enterprise.gloo.solo.io.HeaderConfiguration Configures headers added to requests.
discoveryOverride .enterprise.gloo.solo.io.DiscoveryOverride OIDC configuration is discovered at /.well-known/openid-configuration The configuration override defines any properties that should override this discovery configuration For example, the following AuthConfig CRD could be defined as: yaml apiVersion: enterprise.gloo.solo.io/v1 kind: AuthConfig metadata: name: google-oidc namespace: gloo-system spec: configs: - oauth: app_url: http://localhost:8080 callback_path: /callback client_id: $CLIENT_ID client_secret_ref: name: google namespace: gloo-system issuer_url: https://accounts.google.com discovery_override: token_endpoint: "https://token.url/gettoken" And this will ensure that regardless of what value is discovered at /.well-known/openid-configuration, “https://token.url/gettoken" will be used as the token endpoint.
discoveryPollInterval .google.protobuf.Duration The interval at which OIDC configuration is discovered at /.well-known/openid-configuration If not specified, the default value is 30 minutes.
jwksCacheRefreshPolicy .enterprise.gloo.solo.io.JwksOnDemandCacheRefreshPolicy If a user executes a request with a key that is not found in the JWKS, it could be that the keys have rotated on the remote source, and not yet in the local cache. This policy lets you define the behavior for how to refresh the local cache during a request where an invalid key is provided.
sessionIdHeaderName string If set, the randomly generated session id will be sent to the token endpoint as part of the code exchange The session id is used as the key for sessions in Redis.

AccessTokenValidationConfig

"introspectionUrl": string
"jwt": .enterprise.gloo.solo.io.ExtAuthConfig.AccessTokenValidationConfig.JwtValidation
"introspection": .enterprise.gloo.solo.io.ExtAuthConfig.AccessTokenValidationConfig.IntrospectionValidation
"userinfoUrl": string
"cacheTimeout": .google.protobuf.Duration
"requiredScopes": .enterprise.gloo.solo.io.ExtAuthConfig.AccessTokenValidationConfig.ScopeList

Field Type Description
introspectionUrl string The URL for the OAuth2.0 Token Introspection endpoint. If provided, the (opaque) access token provided or received from the oauth authorization endpoint will be validated against this endpoint, or locally cached responses for this access token. This field is deprecated as it does not support authenticated introspection requests. Only one of introspectionUrl, jwt, or introspection can be set.
jwt .enterprise.gloo.solo.io.ExtAuthConfig.AccessTokenValidationConfig.JwtValidation Validate access tokens that conform to the JSON Web Token (JWT) specification. Only one of jwt, introspectionUrl, or introspection can be set.
introspection .enterprise.gloo.solo.io.ExtAuthConfig.AccessTokenValidationConfig.IntrospectionValidation Defines how (opaque) access tokens, received from the oauth authorization endpoint, are validated OAuth2.0 Token Introspection specification. Only one of introspection, introspectionUrl, or jwt can be set.
userinfoUrl string The URL for the OIDC userinfo endpoint. If provided, the (opaque) access token provided or received from the oauth endpoint will be queried and the userinfo response (or cached response) will be added to the AuthorizationRequest state under the “introspection” key. This can be useful to leverage the userinfo response in, for example, an external auth server plugin.
cacheTimeout .google.protobuf.Duration How long the token introspection and userinfo endpoint response for a specific access token should be kept in the in-memory cache. The result will be invalidated at this timeout, or at “exp” time from the introspection result, whichever comes sooner. If omitted, defaults to 10 minutes. If zero, then no caching will be done.
requiredScopes .enterprise.gloo.solo.io.ExtAuthConfig.AccessTokenValidationConfig.ScopeList Require access token to have all of the scopes in the given list. This configuration applies to both opaque and JWT tokens. In the case of opaque tokens, this will check the scopes returned in the “scope” member of introspection response (as described in Section 2.2 of RFC7662. In case of JWTs the scopes to be validated are expected to be contained in the “scope” claim of the token in the form of a space-separated string. Omitting this field means that scope validation will be skipped.

JwtValidation

Defines how JSON Web Token (JWT) access tokens are validated.

Tokens are validated using a JSON Web Key Set (as defined in Section 5 of RFC7517), which can be either inlined in the configuration or fetched from a remote location via HTTP. Any keys in the JWKS that are not intended for signature verification (i.e. whose “use” parameter is not “sig”) will be ignored by the system, as will keys that do not specify a “kid” (Key ID) parameter.

The JWT to be validated must define non-empty “kid” and “alg” headers. The “kid” header determines which key in the JWKS will be used to verify the signature of the token; if no matching key is found, the token will be rejected.

If present, the server will verify the “exp”, “iat”, and “nbf” standard JWT claims. Validation of the “iss” claim and of token scopes can be configured as well. If the JWT has been successfully validated, its set of claims will be added to the AuthorizationRequest state under the “jwtAccessToken” key.

"remoteJwks": .enterprise.gloo.solo.io.ExtAuthConfig.AccessTokenValidationConfig.JwtValidation.RemoteJwks
"localJwks": .enterprise.gloo.solo.io.ExtAuthConfig.AccessTokenValidationConfig.JwtValidation.LocalJwks
"issuer": string

Field Type Description
remoteJwks .enterprise.gloo.solo.io.ExtAuthConfig.AccessTokenValidationConfig.JwtValidation.RemoteJwks Fetches the JWKS from a remote location. Only one of remoteJwks or localJwks can be set.
localJwks .enterprise.gloo.solo.io.ExtAuthConfig.AccessTokenValidationConfig.JwtValidation.LocalJwks Loads the JWKS from a local data source. Only one of localJwks or remoteJwks can be set.
issuer string Allow only tokens that have been issued by this principal (i.e. whose “iss” claim matches this value). If empty, issuer validation will be skipped.

RemoteJwks

Specifies how to fetch JWKS from remote and how to cache it.

"url": string
"refreshInterval": .google.protobuf.Duration

Field Type Description
url string The HTTP URI to fetch the JWKS.
refreshInterval .google.protobuf.Duration The frequency at which the JWKS should be refreshed. If not specified, the default value is 5 minutes.

LocalJwks

Represents a locally available JWKS.

"inlineString": string

Field Type Description
inlineString string JWKS is embedded as a string.

IntrospectionValidation

Defines how (opaque) access tokens, received from the oauth authorization endpoint, are validated OAuth2.0 Token Introspection

If the token introspection url requires client authentication, both the client_id and client_secret are required. If only one is provided, the config will be rejected. These values will be encoded in a basic auth header in order to authenticate the client.

"introspectionUrl": string
"clientId": string
"clientSecret": string
"userIdAttributeName": string

Field Type Description
introspectionUrl string The URL for the OAuth2.0 Token Introspection endpoint. If provided, the (opaque) access token provided or received from the oauth authorization endpoint will be validated against this endpoint, or locally cached responses for this access token.
clientId string Your client id as registered with the issuer. Optional: Use if the token introspection url requires client authentication.
clientSecret string Your client secret as registered with the issuer. Optional: Use if the token introspection url requires client authentication.
userIdAttributeName string The name of the introspection response attribute that contains the ID of the resource owner (e.g. sub, username). If specified, the external auth server will use the value of the attribute as the identifier of the authenticated user and add it to the request headers and/or dynamic metadata (depending on how the server is configured); if the field is set and the attribute cannot be found, the request will be denied. This field is optional and by default the server will not try to derive the user ID.

ScopeList

"scope": []string

Field Type Description
scope []string

OAuth2Config

"oidcAuthorizationCode": .enterprise.gloo.solo.io.ExtAuthConfig.OidcAuthorizationCodeConfig
"accessTokenValidationConfig": .enterprise.gloo.solo.io.ExtAuthConfig.AccessTokenValidationConfig

Field Type Description
oidcAuthorizationCode .enterprise.gloo.solo.io.ExtAuthConfig.OidcAuthorizationCodeConfig provide issuer location and let gloo handle OIDC flow for you. requests authorized by validating the contents of ID token. can also authorize the access token if configured. Only one of oidcAuthorizationCode or accessTokenValidationConfig can be set.
accessTokenValidationConfig .enterprise.gloo.solo.io.ExtAuthConfig.AccessTokenValidationConfig provide the access token on the request and let gloo handle authorization. according to https://tools.ietf.org/html/rfc6750 you can pass tokens through: - form-encoded body parameter. recommended, more likely to appear. e.g.: Authorization: Bearer mytoken123 - URI query parameter e.g. access_token=mytoken123 - and (preferably) secure cookies. Only one of accessTokenValidationConfig or oidcAuthorizationCode can be set.

ApiKeyAuthConfig

NOTE: This configuration is not user-facing and will be auto generated

"validApiKeys": map<string, .enterprise.gloo.solo.io.ExtAuthConfig.ApiKeyAuthConfig.KeyMetadata>
"headerName": string
"headersFromKeyMetadata": map<string, string>

Field Type Description
validApiKeys map<string, .enterprise.gloo.solo.io.ExtAuthConfig.ApiKeyAuthConfig.KeyMetadata> A mapping of valid API keys to their associated metadata. This map is automatically populated with the information from the relevant ApiKeySecrets.
headerName string (Optional) When receiving a request, the Gloo Edge Enterprise external auth server will look for an API key in a header with this name. This field is optional; if not provided it defaults to api-key.
headersFromKeyMetadata map<string, string> Determines the key metadata that will be included as headers on the upstream request. Each entry represents a header to add: the key is the name of the header, and the value is the key that will be used to look up the data entry in the key metadata.

KeyMetadata

"username": string
"metadata": map<string, string>

Field Type Description
username string The user is mapped as the name of Secret which contains the ApiKeySecret.
metadata map<string, string> The metadata present on the ApiKeySecret.

OpaAuthConfig

"modules": map<string, string>
"query": string
"options": .enterprise.gloo.solo.io.OpaAuthOptions

Field Type Description
modules map<string, string> An optional modules (filename, module content) maps containing modules assist in the resolution of query.
query string The query that determines the auth decision. The result of this query must be either a boolean or an array with boolean as the first element. A boolean true value means that the request will be authorized. Any other value, or error, means that the request will be denied.
options .enterprise.gloo.solo.io.OpaAuthOptions Additional Options for Opa Auth configuration.

Config

"name": .google.protobuf.StringValue
"oauth": .enterprise.gloo.solo.io.ExtAuthConfig.OAuthConfig
"oauth2": .enterprise.gloo.solo.io.ExtAuthConfig.OAuth2Config
"basicAuth": .enterprise.gloo.solo.io.BasicAuth
"apiKeyAuth": .enterprise.gloo.solo.io.ExtAuthConfig.ApiKeyAuthConfig
"pluginAuth": .enterprise.gloo.solo.io.AuthPlugin
"opaAuth": .enterprise.gloo.solo.io.ExtAuthConfig.OpaAuthConfig
"ldap": .enterprise.gloo.solo.io.Ldap
"jwt": .google.protobuf.Empty
"passThroughAuth": .enterprise.gloo.solo.io.PassThroughAuth

Field Type Description
name .google.protobuf.StringValue optional: used when defining complex boolean logic, if boolean_expr is defined below. Also used in logging. If omitted, an automatically generated name will be used (e.g. config_0, of the pattern ‘config_$INDEX_IN_CHAIN’). In the case of plugin auth, this field is ignored in favor of the name assigned on the plugin config itself.
oauth .enterprise.gloo.solo.io.ExtAuthConfig.OAuthConfig Only one of oauth, oauth2, basicAuth, apiKeyAuth, pluginAuth, opaAuth, ldap, jwt, or passThroughAuth can be set.
oauth2 .enterprise.gloo.solo.io.ExtAuthConfig.OAuth2Config Only one of oauth2, oauth, basicAuth, apiKeyAuth, pluginAuth, opaAuth, ldap, jwt, or passThroughAuth can be set.
basicAuth .enterprise.gloo.solo.io.BasicAuth Only one of basicAuth, oauth, oauth2, apiKeyAuth, pluginAuth, opaAuth, ldap, jwt, or passThroughAuth can be set.
apiKeyAuth .enterprise.gloo.solo.io.ExtAuthConfig.ApiKeyAuthConfig Only one of apiKeyAuth, oauth, oauth2, basicAuth, pluginAuth, opaAuth, ldap, jwt, or passThroughAuth can be set.
pluginAuth .enterprise.gloo.solo.io.AuthPlugin Only one of pluginAuth, oauth, oauth2, basicAuth, apiKeyAuth, opaAuth, ldap, jwt, or passThroughAuth can be set.
opaAuth .enterprise.gloo.solo.io.ExtAuthConfig.OpaAuthConfig Only one of opaAuth, oauth, oauth2, basicAuth, apiKeyAuth, pluginAuth, ldap, jwt, or passThroughAuth can be set.
ldap .enterprise.gloo.solo.io.Ldap Only one of ldap, oauth, oauth2, basicAuth, apiKeyAuth, pluginAuth, opaAuth, jwt, or passThroughAuth can be set.
jwt .google.protobuf.Empty This is a “dummy” extauth service which can be used to support multiple auth mechanisms with JWT authentication. If Jwt authentication is to be used in the boolean expression in an AuthConfig, you can use this auth config type to include Jwt as an Auth config. In addition, allow_missing_or_failed_jwt must be set on the Virtual Host or Route that uses JWT auth or else the JWT filter will short circuit this behaviour. Only one of jwt, oauth, oauth2, basicAuth, apiKeyAuth, pluginAuth, opaAuth, ldap, or passThroughAuth can be set.
passThroughAuth .enterprise.gloo.solo.io.PassThroughAuth Only one of passThroughAuth, oauth, oauth2, basicAuth, apiKeyAuth, pluginAuth, opaAuth, ldap, or jwt can be set.