Authorization header override¶

Authorization header override is a behavior observed in external authorization systems, specifically within implementations of the Envoy ext_authz filter^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__extauthz__README.md]. This mechanism allows an authorization service to dynamically manipulate the headers of a client request by adding new headers or forcibly overwriting existing ones before the request is forwarded to the upstream service^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__extauthz__README.md].

Implementation Details¶

The specific behavior and value of the override header depend on the protocol used by the external authorization server^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__extauthz__README.md].

HTTP Server: When using the HTTP API, the server sets the header value to match the value received in the check request^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__extauthz__README.md].
gRPC Server: When using the gRPC API, the server sets the header to a constant, predefined value^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__extauthz__README.md].

Testing and Verification¶

In testing scenarios, this feature is utilized to verify that the ext-authz filter is correctly processing and applying the headers returned by the authorization logic^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__extauthz__README.md]. The standard header used for this validation in sample implementations is x-ext-authz-additional-header-override^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__extauthz__README.md].

[[Envoy]]
Istio
[[gRPC]]
[[External authorization]]

Sources¶

^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__extauthz__README.md]

Authorization header override¶

Implementation Details¶

Testing and Verification¶

Related Concepts¶

Sources¶