Tetrate Service BridgeVersion: nextExternal Authorization
Tetrate Service Bridge (TSB) provides authorization capabilities to authorize every HTTP request coming to Gateways and Workloads. TSB supports local authorization by using JWT claims and external authorization (ext-authz) which uses a service running externally to determine if a request should be allowed or denied.
You may decide to use an external authorization system if you have a separate in-house system, you want to use another authentication schema than JWT or if you want to integrate with a third party authorization solution such as Open Policy Agent (OPA) or PlainID.
Ext-authz can be configured in different contexts, such as Tier-1 Gateways, Ingress Gateways, and in Traffic Settings. Following table shows some possible ways in which external authorization can be used with TSB:
| Context | Sample Usage |
|---|---|
| Tier-1 Gateway | Tier-1 Gateways can be configured to only accept requests with valid JWT and claim for authenticated APIs, requests with proper basic authorization, etc |
| Ingress Gateway | Ingress Gateways / Tier-2 Gateways / Application Gateways can be configured to implement business logic such as limiting APIs based on user entitlements |
| Traffic Settings | Ext-authz in Traffic Settings applies to all proxies in the associated namespaces. This is particularly useful to limit access to parts of a service API |
📄️ Service to service authorization using external authorization
Shows how to use OPA to authorize service to service traffic
📄️ Configuring External Authorization in Ingress Gateways
How to Configure Ingress Gateways to Authorize Requests From Public Facing Network
📄️ External Authz with TLS verification
Securing traffic between TSB and external authorization service.
📄️ External Authorization in Tier-1 Gateways
How To Use OPA to Authorize Requests From Public Facing Network