Package : extauth.networking.mesh.gloo.solo.io



Table of Contents


Configuration for buffering the request data.

Field Type Label Description
maxRequestBytes uint32 Sets the maximum size of a message body that the filter will hold in memory. Envoy will return HTTP 413 and will not initiate the authorization process when buffer reaches the number set in this field. Note that this setting will have precedence over failure_mode_allow. Defaults to 4KB.
allowPartialMessage bool When this field is true, Envoy will buffer the message until max_request_bytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
packAsBytes bool When this field is true, Envoy will send the body sent to the external authorization service with raw bytes.


Gloo Mesh is not expected to configure the ext auth server in this case. This is used with custom auth servers.

Field Type Label Description
contextExtensions []extauth.networking.mesh.gloo.solo.io.CustomAuth.ContextExtensionsEntry repeated When a request matches the route or traffic policy on which this configuration is defined, Gloo Mesh will add the given context_extensions to the request that is sent to the external authorization server. This allows the server to base the auth decision on metadata that you define on the source of the request.
This attribute is analogous to Envoy's config.filter.http.ext_authz.v2.CheckSettings. See the official Envoy documentation for more details.


Field Type Label Description
key string
value string


Enterprise-Only: Configure the Extauth Filter on a Gateway

Field Type Label Description
extauthzRef core.skv2.solo.io.ObjectRef The destination ref for the envoy external authentication service to ask about auth decisions.
The fqdn used by envoy for extauth requests is derived from the kube service or is the first hostname in an external service destination. IMPORTANT: Envoy's extauth requests go to the port chosen from the destination that has the name or protocol of the extauth service protocol (i.e., grpc or http). In practice, this means the port handling extauth requests should be named grpc and/or have protocol GRPC (both case-insensitive), unless http_service is configured.
The provided ref will be used to search for a service of the given name/namespace on each cluster that a Gateway will be created.
If omitted, Gloo Mesh will search for a service with the name ext-auth-service in each namespace on each cluster that a Gateway will be created.
httpService extauth.networking.mesh.gloo.solo.io.HttpService If this is set, communication to the upstream will be via HTTP and not GRPC.
requestTimeout google.protobuf.Duration Timeout for the ext auth service to respond. Defaults to 2000ms. (OIDC requests to external IDPs can be slow) For latency critical applications, this value should be tuned much lower, as extauth is on the request path.
failureModeAllow bool In case of a failure or timeout querying the auth server, normally a request is denied. if this is set to true, the request will be allowed.
requestBody extauth.networking.mesh.gloo.solo.io.BufferSettings Set this if you also want to send the body of the request, and not just the headers.
clearRouteCache bool Clears route cache in order to allow the external authorization service to correctly affect routing decisions. Filter clears all cached routes when:
1. The field is set to true.
2. The status returned from the authorization service is a HTTP 200 or gRPC 0.
3. At least one authorization response header is added to the client request, or is used for altering another client request header.
statusOnError uint32 Sets the HTTP status that is returned to the client when there is a network error between the filter and the authorization server. The default status is HTTP 403 Forbidden. If set, this must be one of the following: - 100 - 200 201 202 203 204 205 206 207 208 226 - 300 301 302 303 304 305 307 308 - 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 421 422 423 424 426 428 429 431 - 500 501 502 503 504 505 506 507 508 510 511
transportApiVersion extauth.networking.mesh.gloo.solo.io.GatewayExtauth.ApiVersion Determines the API version for the ext_authz transport protocol that will be used by Envoy to communicate with the auth server. Defaults to V3. For more info, see the transport_api_version field here.
statPrefix string Optional additional prefix to use when emitting statistics. This allows to distinguish emitted statistics between configured ext_authz filters in an HTTP filter chain.


Field Type Label Description
pathPrefix string Sets a prefix to the value of authorization request header Path.
request extauth.networking.mesh.gloo.solo.io.HttpService.Request
response extauth.networking.mesh.gloo.solo.io.HttpService.Response


Field Type Label Description
allowedHeaders []string repeated These headers will be copied from the incoming request to the request going to the auth server. Note that in addition to the user's supplied matchers:
1. Host, Method, Path and Content-Length are automatically included to the list.
2. Content-Length will be set to 0 and the request to the authorization service will not have a message body.
headersToAdd []extauth.networking.mesh.gloo.solo.io.HttpService.Request.HeadersToAddEntry repeated These headers that will be included to the request to authorization service. Note that client request of the same key will be overridden.


Field Type Label Description
key string
value string


Field Type Label Description
allowedUpstreamHeaders []string repeated When this is set, authorization response headers that have a will be added to the original client request and sent to the upstream. Note that coexistent headers will be overridden.
allowedClientHeaders []string repeated When this. is set, authorization response headers that will be added to the client's response when auth request is denied. Note that when this list is not set, all the authorization response headers, except Authority (Host) will be in the response to the client. When a header is included in this list, Path, Status, Content-Length, WWW-Authenticate and Location are automatically added.


Extauth configuration for a Route or TrafficPolicy. Configures extauth for individual HTTP routes

Field Type Label Description
disable bool Set to true to disable auth on the route.
configRef core.skv2.solo.io.ObjectRef A reference to an AuthConfig. This is used to configure the mesh clients to identify themselves by matching their client identifier to the extauth server config for the same AuthConfig.
customAuth extauth.networking.mesh.gloo.solo.io.CustomAuth Use this field if you are running your own custom extauth server.


Describes the transport protocol version to use when envoy connects to the ext auth server.

Name Number Description
GLOO_MESH_AUTO 0 Use transport version that matches the version the default enterprise ext-auth-service uses.
ENVOY_AUTO 1 Use envoy's auto transport version. This will change as envoy cycles through transport api versions.
V3 2 Use v3 API.