Authentication and authorization
This feature is available with a Gloo Mesh Gateway license only.
Why Authenticate in API Gateway Environments
API Gateways act as a control point for the outside world to access the various application services (monoliths, microservices, serverless functions) running in your environment. In microservices or hybrid application architecture, any number of these workloads need to accept incoming requests from external end users (clients). Incoming requests are treated as anonymous or authenticated and depending on the service. You may want to establish and validate who the client is, the service they are requesting, and define any access or traffic control policies.
Gloo Mesh Gateway provides several mechanisms for authenticating requests. Gloo Mesh Gateway includes an external auth (Ext Auth) service that has built in support for authenticating with Identity Providers over LDAP or OIDC. It also supports other forms of authentication, including basic auth and API keys. Ext Auth has a plugin and passthrough framework so that custom business logic for bespoke auth protocols can be loaded and configured easily with Gloo Mesh. Ext Auth also supports a dynamic, flexible language called Rego for applying fine-grained authorization policies using Open Policy Agent. Ext Auth configuration can be chained to perform a multi-step authentication and authorization process.
Finally, you can write your own custom authentication service and integrate it with Gloo Mesh Gateway.
The Ext Auth section below includes guides for all the different authentication sources supported out of the box, and a guide to creating your own plugins or passthrough server for custom authentication logic. Also included in this section is a guide for developing a Custom Auth service.
External authentication: Authenticate and authorize requests to your services using Gloo Mesh's external auth service
Basic auth: Authenticate using a dictionary of usernames and passwords on a virtual gateway
OAuth: Set up external auth with OAuth
API keys: Set up API key authentication
OPA authorization: Combine OpenID Connect with Open Policy Agent to achieve fine-grained policy with Gloo Mesh
LDAP: Authenticate and authorize requests using LDAP
Custom auth server: Use external authentication with your own auth server