External authentication and authorizationSet up an external authentication and authorization to protect the workloads in your cluster. For example, you can set up basic, passthrough, API key, OAuth, OPA, or LDAP authentication.
About external auth
API gateways act as a control point for the outside world to access the various application services that run in your environment, whether monoliths, microservices, or serverless functions. In microservices or hybrid application architecture, these workloads accept an increasingly large number of requests.
Requests can be anonymous or authenticated. You can use external authentication to establish and validate who the client is, which service the client is requesting, and what authorization the request has.
Gloo Gateway external auth architecture
Gloo Gateway provides two resources to help you manage external auth: an external auth server and policy.
To enforce external auth, each workspace must have an external auth server. You can let Gloo Gateway create a default configuration for you within your cluster. The default setup gives the you benefits of running within the cluster, including observability, telemetry, and mutual TLS. Also, each team gets its own server to use, as you must have one external auth server per workspace.
You can also configure your own external auth server within your Gloo environment or external to the Gloo environment.
The external auth server uses the external auth policies to enforce authentication and authorization of matching traffic. You can match traffic by selecting routes or destinations. If you don't select any routes or destinations, an external auth policy is applied to all destinations by default.
Currently, destinations can be backed by Kubernetes services or Gloo Gateway external services.
Supported types of external auth policies
Select the external auth type that meets your security requirements.
The external auth policy spec consists of a series of
configs that are executed in sequence. If any of the authentication configs fail, the request is denied by default. Instead of having multiple configs in the same policy, however, you can create separate policies. Then, apply these policies to the same route or destination, to perform more complex, multi-step authentication and authorization.
- Basic: Authenticate requests with a basic dictionary of usernames and passwords.
- API keys: Authenticate requests by using an API key.
- LDAP: Authenticate requests against membership information that is stored in a Lightweight Directory Access Protocol (LDAP) server.
- OAuth: Use OpenID Connect (OIDC) with the OAuth 2.0 protocol to have an external identity provider authenticate requests with an access token.
- OPA: Enforce Open Policy Agent (OPA) policies for more fine-grained access control.
- Passthrough: Authenticate requests with an external gRPC service.
Non-external auth: You can also use a [JSON web token (JWT) policy for simple verification.
Gloo Gateway provides a set of custom resources to make it even easier to set up external auth for all of the microservices in your environment.
- Scalable: Gloo Gateway gives you a set of reusable external auth resources that use Kubernetes selectors to automatically scale as your policies and workloads grow.
- Reusable for cluster ingress and service mesh traffic: You can use the same Gloo resources to apply policy to both traffic into your cluster (ingress or “north-south”) and across the services in your mesh (“east-west”). Such reuse lets you use Gloo Gateway together with Gloo Mesh easily.
- Persona-driven: As a platform administrator, you can set up the Gloo Gateway external auth server while registering your workload clusters. Then, your operators create the external auth policies that your developers can use across their services simply through Kubernetes labels.
External auth API reference
For more information, see the API docs for the external auth server and policy resources.
External auth guides
Server setupSet up the default or customize your own external auth server.
Basic external auth policyAuthenticate requests with a basic dictionary of usernames and passwords.
API keysAuthenticate requests by using an API key.
LDAPAuthenticate requests against membership information that is stored in a Lightweight Directory Access Protocol (LDAP) server.
OAuthUse OpenID Connect (OIDC) with the OAuth 2.0 protocol to have an external identity provider authenticate requests with an access token.
PassthroughAuthenticate requests with an external gRPC service.
OPAEnforce Open Policy Agent (OPA) policies for more fine-grained access control.