Authentication and Authorization
Why Authenticate in API Gateway Environments
API Gateways act as a control point for the outside world to access the various application services (monoliths, microservices, serverless functions) running in your environment. In microservices or hybrid application architecture, any number of these workloads need to accept incoming requests from external end users (clients). Incoming requests are treated as anonymous or authenticated and depending on the service. You may want to establish and validate who the client is, the service they are requesting, and define any access or traffic control policies.
Gloo Gateway provides several mechanisms for authenticating requests. Gloo Gateway Enterprise includes an external auth (Ext Auth) service that has built in support for authenticating with Identity Providers over LDAP or OIDC. It also supports other forms of authentication, including basic auth and API keys. Ext Auth has a plugin framework so that custom business logic for bespoke auth protocols can be loaded and configured easily with Gloo Gateway. Ext Auth also supports a dynamic, flexible language called Rego for applying fine-grained authorization policies using Open Policy Agent. Ext Auth configuration can be chained to perform a multi-step authentication and authorization process.
You can also use JSON Web Tokens (JWT) to authenticate requests. In this case, Gloo Gateway merely needs to trust the source of the token and not necessarily perform an authentication handoff. JWT verification is fast, requires minimal resources, and can be performed directly in Envoy, rather than as a remote call to the external auth service.
Finally, you can write your own custom authentication service and integrate it with Gloo Gateway.
The Ext Auth section below includes guides for all the different authentication sources supported out of the box, and a guide to creating your own plugins for a specialized authentication source. Also included in this section is a guide for developing a Custom Auth service and guides for working with JSON Web Tokens.
-
External Authentication (Enterprise): Authenticate and authorize requests to your services using Gloo Gateway's external auth service.
-
Basic Auth: Authenticating using a dictionary of usernames and passwords on a virtual service.
-
Passthrough Auth: Authenticating using an external "passthrough" service.
-
OAuth: External Auth with OAuth
-
API Keys: How to setup ApiKey authentication.
-
OPA Authorization: Illustrating how to combine OpenID Connect with Open Policy Agent to achieve fine grained policy with Gloo Gateway.
-
LDAP: Authenticate and authorize requests using LDAP.
-
Plugin Auth: Extend Gloo Gateway's built-in auth server with custom Go plugins
-
Configuration format history: Overview of the external auth configuration formats supported by each Gloo Gateway Enterprise version.
-
Custom Auth server: External Authentication with your own auth server
-
JSON Web Tokens (Enterprise): Introduction to JWT and what they are used for
-
JWT and Access Control: JWT verification and Access Control (without an external auth server)
-
JWT Claim Based Routing: Perform routing decisions using information in a JWT's claims
-
Additional Authorization servers (Enterprise): Configure multiple External Authorization servers. Decide which one to use at the route level.