External Authorization

• This filter should be configured with the name envoy.filters.http.ext_authz.

The external authorization filter calls an external gRPC or HTTP service to check whether an incoming HTTP request is authorized or not. If the request is deemed unauthorized, then the request will be denied normally with 403 (Forbidden) response. Note that sending additional custom metadata from the authorization service to the upstream, to the downstream or to the authorization service is also possible. This is explained in more details at HTTP filter.

The content of the requests that are passed to an authorization service is specified by .

The HTTP filter, using a gRPC/HTTP service, can be configured as follows. You can see all the configuration options at HTTP filter.

A sample filter configuration for a gRPC authorization server:

A sample filter configuration for a raw HTTP authorization server:

The HTTP filter outputs statistics in the cluster.<route target cluster>.ext_authz. namespace.

The fraction of requests for which the filter is enabled can be configured via the value of the filter_enabled field.