Proto: ext_auth_policy.proto

Package: security.policy.gloo.solo.io



Field Description
workspaces (repeated ExtAuthPolicyReport.WorkspacesEntry)

The status of the resource in each workspace that it exists in.
selectedDestinationPorts (repeated common.gloo.solo.io.DestinationReference)

A list of destination ports selected by the policy.
selectedRoutes (repeated common.gloo.solo.io.RouteReference)

A list of references to all route selected by the policy.


Field Description
key (string)

value (common.gloo.solo.io.Report)


ExtAuthPolicy is used to enforce external authorization/authentication of traffic matching selected routes or arriving at selected destinations. All ExtAuthPolicies in a workspace require an ExtAuthServer to in order to function. If no ExtAuthServer is specified, a default configuration will be used. ExtAuthRoutePolicies can be applied at both the Route and Destination levels. Default is to apply policy to all destinations.

Field Description
applyToRoutes (repeated common.gloo.solo.io.RouteSelector)

Select the routes where the policy will be applied. If left empty, no extauth policy will be applied to any routes in the workspace.
applyToDestinations (repeated common.gloo.solo.io.DestinationSelector)

Select the destinations where the policy will be applied. Default behavior if no selectors are specified is to apply to all destinations in the workspace. If left empty and the route selector is set, no extauth policy on destinations will be applied.
config (ExtAuthPolicySpec.Config)

The details of the external auth policy to apply to the selected routes and destinations.


Make sure to select the appropriate ExtAuthServer to use, which might be in a different cluster and namespace than the ExtAuthPolicy. For auth configurations that require a client secret from the identity provider issuer, the secret must be in the same cluster as the ExtAuthServer resource.

Field Description
disable (bool)

Set to true to disable auth on the route.
glooAuth (enterprise.gloo.solo.io.AuthConfigSpec)

Configure the selected route or destination with auth options provided by the Gloo Mesh Ext Auth service. The Ext Auth Service can be specified must be configured to use a Gloo Ext Auth service via a ExtAuthDestinationPolicy.
customAuth (ExtAuthPolicySpec.Config.CustomAuth)

Use this field if you are running your own custom extauth server. The destination service must be configured to use a custom ext auth service via a ExtAuthDestinationPolicy.
server (common.gloo.solo.io.ObjectReference)

Required: Reference to the ExtAuthServer to use for this policy. Currently routes on a single gateway must share a single ExtAuthServer. To create an ExtAuthServer resource, see External auth server setup.


Gloo Mesh is not expected to configure the ext auth server in this case. This is used with custom auth servers.

Field Description
contextExtensions (repeated ExtAuthPolicySpec.Config.CustomAuth.ContextExtensionsEntry)

When a request matches the route or on which this configuration is applied, Gloo Mesh will add the given context_extensions to the request that is sent to the external authorization server. This allows the server to base the auth decision on metadata that you define on the source of the request.
This attribute is analogous to Envoy's config.filter.http.ext_authz.v2.CheckSettings. See the official Envoy documentation for more details.


Field Description
key (string)

value (string)


reflects the status of the ExtAuthPolicy

Field Description
common (common.gloo.solo.io.Status)

numSelectedDestinationPorts (uint32)

The number of destination ports selected by the policy.
numSelectedRoutes (uint32)

The number of routes selected by the policy.