External Auth Plugin and LDAP Support in Envoy Proxy based API Gateways

Gloo configures Envoy Proxy to authenticate requests with LDAP

This blog series “5 Minutes with Gloo” will dig into a single feature, what it is used for and how to use it. In this post, we’ll expand upon a previous post on Authentication in API Gateways to focus on new capabilities we have added for Auth.

Let’s recap by answering the basic question: What is the role of authentication in environments using API Gateways?

API Gateways act as a control point for external users to access services running inside your environment (datacenter or cloud) and depending on the service, you may want to define who can access that service, when and how frequently for security and performance reasons. Depending on the organization and the service, your Auth needs can vary from basic auth to more advanced use cases.

Gloo already supports a range of Auth options today from External Auth (APIKey, OAuth, Basic), Custom Auth Server to JSON Web Tokens (JWT). Recently, we added a new feature for building Auth Plugins.

Gloo has the ability to use a Custom Auth Server and implement custom Auth logic. While this approach provides the most flexibility, it can come at a cost in development, maintenance and performance including:

  • Write and maintain additional services
  • System overhead to Auth logic complexity
  • Potential of added network hops and latency
  • Host level configurations and synchronization challenges

Making Custom Auth Easier with Auth Plugin

We wanted to make that process easier to get started, implement and maintain without the complexity of custom services or extra plumbing. The new External Auth Plugin enables you to focus on the auth logic and provide that specific configuration directly to the Virtual Service it applies to.

The high level steps are below and you can try the tutorial here:

  1. Write a plugin and publish it as a docker image which, when run, copies the compiled plugin file(s) to a predefined directory.
  2. Configure Gloo to load the plugins by running the image as an initContainer on the extauth deployment. This can be done by rendering the Gloo Helm chart with some value overrides or by modifying the Gloo installation manifest manually.
  3. Reference your plugin in your Virtual Services for it to be invoked for requests matching particular virtual hosts and routes

Improving Auth Server Performance

Additionally to help with the performance of the Auth Server, we just released the ability to deploy the external Auth Server as a sidecar to Envoy over the UNIX domain socket. This reduces latency in two ways:

  1. Processes communicate over UNIX sockets and not TCP
  2. The Auth Server lives on the same host and pod as Envoy

Support for LDAP Auth Systems

With the release of the External Auth Plugin, we are excited to announce support for LDAP and AWS Cognito with the plugin. This allows enterprises with existing Auth servers to plug them into Gloo. Reach out to us for a demo or to discuss your specific Auth server needs.

Authentication is a feature available in Gloo Enterprise and with the addition of the Auth plugin, we can meet a wide range of Auth use cases in the Gloo API Gateway to secure the access to your microservices.

Get Started with Authentication in Gloo API Gateway