This repository is a proof of concept for creating an ext_authz
plugin for Envoy to use with Permit.io. The plugin is implemented in Go and uses gRPC to communicate with Envoy.
The authorization server intercepts incoming HTTP requests to Envoy and checks the provided authorization header against Permit.io policies. It verifies the JWT token, extracts the claims, and performs authorization checks based on the request method and custom resource attributes.
- Go 1.16 or later
- Envoy Proxy
- Permit.io account
- PDP Key and PDP URL from Permit.io
-
Clone the repository:
git clone https://github.com/yourusername/envoy-ext-authz-permitio.git cd envoy-ext-authz-permitio
-
Install the Go dependencies:
go mod tidy
-
Set up your environment variables with the Permit.io PDP Key and PDP URL:
export PDP_KEY="your_pdp_key" export PDP_URL="your_pdp_url"
-
Run the authorization server:
go run main.go
The server will start listening on port 9192
.
To configure Envoy to use this external authorization server, add the following to your Envoy configuration file:
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 10000
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match: { prefix: "/" }
route: { cluster: some_service }
http_filters:
- name: envoy.filters.http.ext_authz
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
grpc_service:
envoy_grpc:
cluster_name: ext_authz
timeout: 0.25s
- name: envoy.filters.http.router
clusters:
- name: some_service
connect_timeout: 0.25s
type: LOGICAL_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: some_service
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: some_service_address
port_value: some_service_port
- name: ext_authz
connect_timeout: 0.25s
type: LOGICAL_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: ext_authz
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 127.0.0.1
port_value: 9192
- The Envoy proxy receives an incoming HTTP request and forwards it to the external authorization server.
- The authorization server checks the
authorization
header for a Bearer token. - The JWT token is parsed and validated.
- The server extracts the necessary claims from the token and constructs a user and resource object.
- It checks the permission using Permit.io's
Check
method. - Based on the result, it responds to Envoy with either an
OK
orDenied
response.
This project is licensed under the MIT License. See the LICENSE file for details.
Contributions are welcome! Please open an issue or submit a pull request.