Skip to content

Header-based authorization check

Header-based authorization check is a security mechanism where an external authorization service grants or denies access based on the presence and value of specific HTTP headers within the request.^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__extauthz__README.md]

This pattern is commonly implemented using an external authorization server, such as the Envoy ext_authz filter, which intercepts requests to validate credentials before traffic reaches the destination service.^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__extauthz__README.md]

Mechanism

The authorization server evaluates the request headers against defined rules.^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__extauthz__README.md]

For example, a server may be configured to allow the request only if it includes a specific header and value pair, such as x-ext-authz: allow.^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__extauthz__README.md] In typical implementations, if the required header is missing or contains an incorrect value, the server returns a 403 Forbidden status, indicating that the request was denied.^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__extauthz__README.md]

Context and Variations

While header checks are a primary method, authorization logic can also consider other factors, such as the service account of the source workload (e.g., allowing requests from service account a).^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__extauthz__README.md]

The authorization server typically supports communication protocols like HTTP or gRPC (v2/v3) to perform these checks.^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__extauthz__README.md]

Sources

  • 400-devops__07-Monitoring-and-Observability__k8s-istio__samples__extauthz__README.md