Why Authenticate in API Gateway Environments
API Gateways act as a control point for the outside world to access the various application services (monoliths, microservices, serverless functions) running in your environment. In microservices or hybrid application architecture, any number of these workloads will need to accept incoming requests from external end users (clients). Incoming requests can be treated as anonymous or authenticated and depending on the service, you may want to establish and validate who the client is, the service they are requesting and define any access or traffic control policies.
Authentication in Gloo
Gloo Enterprise provides a variety of authentication options to meet the needs of your environment. They range from supporting basic use cases to the complex and fine grained secure access control. Architecturally, Gloo uses an auth server to verify the user and their access. Gloo provides an auth server that can support OpenID Connect and basic use cases but also allows you to use your own auth server to implement custom logic.
By default, Gloo’s built-in Auth Server is deployed as its own Kubernetes pod. This means that, in order to authenticate a request, Gloo (which runs in a separate pod) needs to communicate with the service over the network. In case you deem this overhead not to be acceptable for your use case, you can deploy the server in sidecar mode.
In this configuration, the Ext Auth server will run as an additional container inside the
gateway-proxy pod(s) that run
Gloo’s Envoy instance(s) and communication with Envoy will occur via Unix Domain Sockets instead of TCP. This cuts out
the overhead associated with the TCP protocol and can provide huge performance benefits (40%+ in some benchmarks).
You can activate this mode by installing Gloo with Helm and providing the following value override:
|global.extensions.extAuth.envoySidecar||bool||Deploy ext-auth as a sidecar to Envoy instances. Communication occurs over Unix Domain Sockets instead of TCP. Default is
For more details, check out the individual guides for each of the Gloo auth modules:
Basic Auth: Authenticating using a dictionary of usernames and passwords on a virtual service.
OAuth: External Auth with Oauth
Json Web Tokens (JWT): Introduction to JWT and what they are used for
ApiKey Auth: How to setup ApiKey authentication.
OPA Authorization: Illustrating how to combine OpenID Connect with Open Policy Agent to achieve fine grained policy with Gloo.
LDAP: Authenticate and authorize requests using LDAP.
Custom Auth server: External Authentication with your own auth server
Plugin Auth: Extend Gloo's built-in auth server with custom Go plugins