extauth.proto

Package: extauth.plugins.gloo.solo.io

Types:

Source File: github.com/solo-io/solo-projects/projects/gloo/api/v1/plugins/extauth/extauth.proto

Settings

"extauthzServerRef": .core.solo.io.ResourceRef
"httpService": .extauth.plugins.gloo.solo.io.HttpService
"userIdHeader": string
"requestTimeout": .google.protobuf.Duration
"failureModeAllow": bool
"requestBody": .extauth.plugins.gloo.solo.io.BufferSettings
"clearRouteCache": bool
"statusOnError": int
Field Type Description Default
extauthzServerRef .core.solo.io.ResourceRef The upstream to ask about auth decisions
httpService .extauth.plugins.gloo.solo.io.HttpService If this is set, communication to the upstream will be with HTTP and not GRPC.
userIdHeader string If the auth server trusted id of the user, it will be set in this header. Specifically this means that this header will be sanitized form the incoming request.
requestTimeout .google.protobuf.Duration Timeout for the ext auth service to respond. defaults to 200ms
failureModeAllow bool In case of a failure or timeout querying the auth server, normally a request is denied. if this is set to true, the request will be allowed.
requestBody .extauth.plugins.gloo.solo.io.BufferSettings Set this if you also want to send the body of the request, and not just the headers.
clearRouteCache bool Clears route cache in order to allow the external authorization service to correctly affect routing decisions. Filter clears all cached routes when: 1. The field is set to true. 2. The status returned from the authorization service is a HTTP 200 or gRPC 0. 3. At least one authorization response header is added to the client request, or is used for altering another client request header.
statusOnError int Sets the HTTP status that is returned to the client when there is a network error between the filter and the authorization server. The default status is HTTP 403 Forbidden. If set, this must be one of the following: - 100 - 200 201 202 203 204 205 206 207 208 226 - 300 301 302 303 304 305 307 308 - 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 421 422 423 424 426 428 429 431 - 500 501 502 503 504 505 506 507 508 510 511

HttpService

"pathPrefix": string
"request": .extauth.plugins.gloo.solo.io.HttpService.Request
"response": .extauth.plugins.gloo.solo.io.HttpService.Response
Field Type Description Default
pathPrefix string Sets a prefix to the value of authorization request header Path.
request .extauth.plugins.gloo.solo.io.HttpService.Request
response .extauth.plugins.gloo.solo.io.HttpService.Response

Request

"allowedHeaders": []string
"headersToAdd": map<string, string>
Field Type Description Default
allowedHeaders []string These headers will be copied from the incoming request to the request going to the auth server. Note that in addition to the user’s supplied matchers: 1. Host, Method, Path and Content-Length are automatically included to the list. 2. Content-Length will be set to 0 and the request to the authorization service will not have a message body.
headersToAdd map<string, string> These headers that will be included to the request to authorization service. Note that client request of the same key will be overridden.

Response

"allowedUpstreamHeaders": []string
"allowedClientHeaders": []string
Field Type Description Default
allowedUpstreamHeaders []string When this is set, authorization response headers that have a will be added to the original client request and sent to the upstream. Note that coexistent headers will be overridden.
allowedClientHeaders []string When this. is set, authorization response headers that will be added to the client’s response when auth request is denied. Note that when this list is not set, all the authorization response headers, except Authority (Host) will be in the response to the client. When a header is included in this list, Path, Status, Content-Length, WWW-Authenticate and Location are automatically added.

BufferSettings

Configuration for buffering the request data.

"maxRequestBytes": int
"allowPartialMessage": bool
Field Type Description Default
maxRequestBytes int Sets the maximum size of a message body that the filter will hold in memory. Envoy will return HTTP 413 and will not initiate the authorization process when buffer reaches the number set in this field. Note that this setting will have precedence over failure_mode_allow. Defaults to 4KB.
allowPartialMessage bool When this field is true, Envoy will buffer the message until max_request_bytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.

CustomAuth

Gloo is not expected to configure the ext auth server in this case. This is used with custom auth servers.

Field Type Description Default

PluginAuth

Configures auth via dynamically loaded Go plugins. Deprecated

"plugins": []extauth.plugins.gloo.solo.io.AuthPlugin
Field Type Description Default
plugins []extauth.plugins.gloo.solo.io.AuthPlugin Deprecated

AuthPlugin

"name": string
"pluginFileName": string
"exportedSymbolName": string
"config": .google.protobuf.Struct
Field Type Description Default
name string Name of the plugin
pluginFileName string Name of the compiled plugin file. If not specified, GlooE will look for an “.so” file with same name as the plugin.
exportedSymbolName string Name of the exported symbol that implements the plugin interface in the plugin. If not specified, defaults to the name of the plugin
config .google.protobuf.Struct

BasicAuth

"realm": string
"apr": .extauth.plugins.gloo.solo.io.BasicAuth.Apr
Field Type Description Default
realm string
apr .extauth.plugins.gloo.solo.io.BasicAuth.Apr

Apr

"users": map<string, .extauth.plugins.gloo.solo.io.BasicAuth.Apr.SaltedHashedPassword>
Field Type Description Default
users map<string, .extauth.plugins.gloo.solo.io.BasicAuth.Apr.SaltedHashedPassword>

SaltedHashedPassword

"salt": string
"hashedPassword": string
Field Type Description Default
salt string
hashedPassword string

OAuth

"clientId": string
"clientSecretRef": .core.solo.io.ResourceRef
"issuerUrl": string
"appUrl": string
"callbackPath": string
"scopes": []string
Field Type Description Default
clientId string your client id as registered with the issuer
clientSecretRef .core.solo.io.ResourceRef your client secret as registered with the issuer
issuerUrl string The url of the issuer. We will look for OIDC information in issuerUrl+ “.well-known/openid-configuration”
appUrl string we to redirect after successful auth, if we can’t determine the original url this should be your publicly available app url.
callbackPath string a callback path relative to app url that will be used for OIDC callbacks. needs to not be used by the application
scopes []string Scopes to request in addtion to openid scope.

OauthSecret

"clientSecret": string
Field Type Description Default
clientSecret string

ApiKeyAuth

"labelSelector": map<string, string>
"apiKeySecretRefs": []core.solo.io.ResourceRef
Field Type Description Default
labelSelector map<string, string> identify all valid apikey secrets using the provided label selector. apikey secrets must be in gloo’s watch namespaces for gloo to locate them
apiKeySecretRefs []core.solo.io.ResourceRef a way to reference apikey secrets individually (good for testing); prefer apikey groups via label selector

ApiKeySecret

"generateApiKey": bool
"apiKey": string
"labels": []string
Field Type Description Default
generateApiKey bool if true, generate an apikey
apiKey string if present, use the provided apikey
labels []string a list of labels (key=value) for the apikey secret. virtual services may look for these labels using a provided label selector

OpaAuth

"modules": []core.solo.io.ResourceRef
"query": string
Field Type Description Default
modules []core.solo.io.ResourceRef An optional resource reference to config maps containing modules to assist in the resolution of query.
query string The query that determines the auth decision. The result of this query must be either a boolean or an array with boolean as the first element. A boolean true value means that the request will be authorized. Any other value, or error, means that the request will be denied.

Ldap

Authenticates and authorizes requests by querying an LDAP server. Gloo makes the following assumptions: * Requests provide credentials via the basic HTTP authentication header. Gloo will BIND to the LDAP server using the credentials extracted from the header. * Your LDAP server is configured so that each entry you want to authorize has an attribute that indicates its group memberships. A common way of achieving this is by using the memberof overlay.

"address": string
"userDnTemplate": string
"membershipAttributeName": string
"allowedGroups": []string
Field Type Description Default
address string Address of the LDAP server to query. Should be in the form:
:.
userDnTemplate string Template to build user entry distinguished names (DN). This must contains a single occurrence of the “%s” placeholder. When processing a request, Gloo will substitute the name of the user (extracted from the auth header) for the placeholder and issue a search request with the resulting DN as baseDN (and ‘base’ search scope). E.g. “uid=%s,ou=people,dc=solo,dc=io”
membershipAttributeName string Case-insensitive name of the attribute that contains the names of the groups an entry is member of. Gloo will look for attributes with the given name to determine which groups the user entry belongs to. Defaults to ‘memberOf’ if not provided.
allowedGroups []string In order for the request to be authenticated, the membership attribute (e.g. memberOf) on the user entry must contain at least of one of the group DNs specified via this option. E.g. []string{ “cn=managers,ou=groups,dc=solo,dc=io”, “cn=developers,ou=groups,dc=solo,dc=io” }

AuthConfig

This message represents the user-facing auth configuration. When processed by Gloo, certain configuration types (i.a. oauth, opa) will be translated, e.g. to resolve resource references. See the ExtAuthConfig.AuthConfig for the final config format that will be included in the extauth snapshot.

"basicAuth": .extauth.plugins.gloo.solo.io.BasicAuth
"oauth": .extauth.plugins.gloo.solo.io.OAuth
"customAuth": .extauth.plugins.gloo.solo.io.CustomAuth
"apiKeyAuth": .extauth.plugins.gloo.solo.io.ApiKeyAuth
"pluginAuth": .extauth.plugins.gloo.solo.io.AuthPlugin
"opaAuth": .extauth.plugins.gloo.solo.io.OpaAuth
"ldap": .extauth.plugins.gloo.solo.io.Ldap
Field Type Description Default
basicAuth .extauth.plugins.gloo.solo.io.BasicAuth
oauth .extauth.plugins.gloo.solo.io.OAuth
customAuth .extauth.plugins.gloo.solo.io.CustomAuth
apiKeyAuth .extauth.plugins.gloo.solo.io.ApiKeyAuth
pluginAuth .extauth.plugins.gloo.solo.io.AuthPlugin
opaAuth .extauth.plugins.gloo.solo.io.OpaAuth
ldap .extauth.plugins.gloo.solo.io.Ldap

VhostExtension

"basicAuth": .extauth.plugins.gloo.solo.io.BasicAuth
"oauth": .extauth.plugins.gloo.solo.io.OAuth
"customAuth": .extauth.plugins.gloo.solo.io.CustomAuth
"apiKeyAuth": .extauth.plugins.gloo.solo.io.ApiKeyAuth
"pluginAuth": .extauth.plugins.gloo.solo.io.PluginAuth
"configs": []extauth.plugins.gloo.solo.io.AuthConfig
Field Type Description Default
basicAuth .extauth.plugins.gloo.solo.io.BasicAuth Deprecated: use configs field instead.
oauth .extauth.plugins.gloo.solo.io.OAuth Deprecated: use configs field instead.
customAuth .extauth.plugins.gloo.solo.io.CustomAuth Deprecated: use configs field instead.
apiKeyAuth .extauth.plugins.gloo.solo.io.ApiKeyAuth Deprecated: use configs field instead.
pluginAuth .extauth.plugins.gloo.solo.io.PluginAuth Deprecated: use configs field instead.
configs []extauth.plugins.gloo.solo.io.AuthConfig A chain of AuthN\AuthZ configurations which will be executed in the order they are specified. The first plugin to deny a request will cause a 403 response to be returned; any subsequent plugin in the chain will not be executed. The headers on the OkHttpResponse returned from a plugin in the chain will be added to the request that will be sent to the next one(s) according to the rules described here: https://www.envoyproxy.io/docs/envoy/latest/api-v2/service/auth/v2/external_auth.proto#service-auth-v2-okhttpresponse

RouteExtension

"disable": bool
Field Type Description Default
disable bool

ExtAuthConfig

"vhost": string
"oauth": .extauth.plugins.gloo.solo.io.ExtAuthConfig.OAuthConfig
"basicAuth": .extauth.plugins.gloo.solo.io.BasicAuth
"apiKeyAuth": .extauth.plugins.gloo.solo.io.ExtAuthConfig.ApiKeyAuthConfig
"pluginAuth": .extauth.plugins.gloo.solo.io.PluginAuth
"configs": []extauth.plugins.gloo.solo.io.ExtAuthConfig.AuthConfig
Field Type Description Default
vhost string
oauth .extauth.plugins.gloo.solo.io.ExtAuthConfig.OAuthConfig
basicAuth .extauth.plugins.gloo.solo.io.BasicAuth
apiKeyAuth .extauth.plugins.gloo.solo.io.ExtAuthConfig.ApiKeyAuthConfig
pluginAuth .extauth.plugins.gloo.solo.io.PluginAuth
configs []extauth.plugins.gloo.solo.io.ExtAuthConfig.AuthConfig

OAuthConfig

"clientId": string
"clientSecret": string
"issuerUrl": string
"appUrl": string
"callbackPath": string
"scopes": []string
Field Type Description Default
clientId string your client id as registered with the issuer
clientSecret string your client secret as registered with the issuer
issuerUrl string The url of the issuer. We will look for OIDC information in issuerUrl+ “.well-known/openid-configuration”
appUrl string we to redirect after successful auth, if we can’t determine the original url this should be your publicly available app url.
callbackPath string a callback path relative to app url that will be used for OIDC callbacks. needs to not be used by the application
scopes []string scopes to request in addition to the openid scope.

ApiKeyAuthConfig

"validApiKeyAndUser": map<string, string>
Field Type Description Default
validApiKeyAndUser map<string, string> a map of valid apikeys to their associated plaintext users.

OpaAuthConfig

"modules": map<string, string>
"query": string
Field Type Description Default
modules map<string, string> An optional modules (filename, module content) maps containing modules assist in the resolution of query.
query string The query that determines the auth decision. The result of this query must be either a boolean or an array with boolean as the first element. A boolean true value means that the request will be authorized. Any other value, or error, means that the request will be denied.

AuthConfig

"oauth": .extauth.plugins.gloo.solo.io.ExtAuthConfig.OAuthConfig
"basicAuth": .extauth.plugins.gloo.solo.io.BasicAuth
"apiKeyAuth": .extauth.plugins.gloo.solo.io.ExtAuthConfig.ApiKeyAuthConfig
"pluginAuth": .extauth.plugins.gloo.solo.io.AuthPlugin
"opaAuth": .extauth.plugins.gloo.solo.io.ExtAuthConfig.OpaAuthConfig
"ldap": .extauth.plugins.gloo.solo.io.Ldap
Field Type Description Default
oauth .extauth.plugins.gloo.solo.io.ExtAuthConfig.OAuthConfig
basicAuth .extauth.plugins.gloo.solo.io.BasicAuth
apiKeyAuth .extauth.plugins.gloo.solo.io.ExtAuthConfig.ApiKeyAuthConfig
pluginAuth .extauth.plugins.gloo.solo.io.AuthPlugin
opaAuth .extauth.plugins.gloo.solo.io.ExtAuthConfig.OpaAuthConfig
ldap .extauth.plugins.gloo.solo.io.Ldap