Tetrate Service Bridge (TSB) provides authorization capabilities to authorize every HTTP request coming to Gateways and Workloads. TSB supports local authorization by using JWT claims and external authorization (ext-authz) which uses a service running externally to determine if a request should be allowed or denied.
You may decide to use an external authorization system if you have a separate in-house system, you want to use another authentication schema than JWT or if you want to integrate with a third party authorization solution such as Open Policy Agent (OPA) or PlainID.
Ext-authz can be configured in different contexts, such as Tier-1 Gateways, Ingress Gateways, and in Traffic Settings. Following table shows some possible ways in which external authorization can be used with TSB:
|Tier-1 Gateway||Tier-1 Gateways can be configured to only accept requests with valid JWT and claim for authenticated APIs, requests with proper basic authorization, etc|
|Ingress Gateway||Ingress Gateways / Tier-2 Gateways / Application Gateways can be configured to implement business logic such as limiting APIs based on user entitlements|
|Traffic Settings||Ext-authz in Traffic Settings applies to all proxies in the associated namespaces. This is particularly useful to limit access to parts of a service API|
📄️ Service to service authorization using external authorization
Shows how to use OPA to authorize service to service traffic
📄️ Configuring External Authorization in Ingress Gateways
How to Configure Ingress Gateways to Authorize Requests From Public Facing Network
📄️ External Authz with TLS verification
Securing traffic between TSB and external authorization service.
📄️ External Authorization in Tier-1 Gateways
How To Use OPA to Authorize Requests From Public Facing Network