syntax = "proto3"; package envoy.service.auth.v4alpha; import "envoy/config/core/v4alpha/base.proto"; import "envoy/service/auth/v4alpha/attribute_context.proto"; import "envoy/type/v3/http_status.proto"; import "google/protobuf/struct.proto"; import "google/rpc/status.proto"; import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.service.auth.v4alpha"; option java_outer_classname = "ExternalAuthProto"; option java_multiple_files = true; option java_generic_services = true; option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; // [#protodoc-title: Authorization Service ] // The authorization service request messages used by external authorization :ref:`network filter // ` and :ref:`HTTP filter `. // A generic interface for performing authorization check on incoming // requests to a networked service. service Authorization { // Performs authorization check based on the attributes associated with the // incoming request, and returns status `OK` or not `OK`. rpc Check(CheckRequest) returns (CheckResponse) { } } message CheckRequest { option (udpa.annotations.versioning).previous_message_type = "envoy.service.auth.v3.CheckRequest"; // The request attributes. AttributeContext attributes = 1; } // HTTP attributes for a denied response. message DeniedHttpResponse { option (udpa.annotations.versioning).previous_message_type = "envoy.service.auth.v3.DeniedHttpResponse"; // This field allows the authorization service to send a HTTP response status // code to the downstream client other than 403 (Forbidden). type.v3.HttpStatus status = 1 [(validate.rules).message = {required: true}]; // This field allows the authorization service to send HTTP response headers // to the downstream client. repeated config.core.v4alpha.HeaderValueOption headers = 2; // This field allows the authorization service to send a response body data // to the downstream client. string body = 3; } // HTTP attributes for an OK response. message OkHttpResponse { option (udpa.annotations.versioning).previous_message_type = "envoy.service.auth.v3.OkHttpResponse"; reserved 3; reserved "dynamic_metadata"; // HTTP entity headers in addition to the original request headers. This allows the authorization // service to append, to add or to override headers from the original request before // dispatching it to the upstream. By setting `append` field to `true` in the `HeaderValueOption`, // the filter will append the correspondent header value to the matched request header. Note that // by Leaving `append` as false, the filter will either add a new header, or override an existing // one if there is a match. repeated config.core.v4alpha.HeaderValueOption headers = 2; } // Intended for gRPC and Network Authorization servers `only`. message CheckResponse { option (udpa.annotations.versioning).previous_message_type = "envoy.service.auth.v3.CheckResponse"; // Status `OK` allows the request. Any other status indicates the request should be denied. google.rpc.Status status = 1; // An message that contains HTTP response attributes. This message is // used when the authorization service needs to send custom responses to the // downstream client or, to modify/add request headers being dispatched to the upstream. oneof http_response { // Supplies http attributes for a denied response. DeniedHttpResponse denied_response = 2; // Supplies http attributes for an ok response. OkHttpResponse ok_response = 3; } // Optional response metadata that will be emitted as dynamic metadata to be consumed by the next // filter. This metadata lives in a namespace specified by the canonical name of extension filter // that requires it: // // - :ref:`envoy.filters.http.ext_authz ` for HTTP filter. // - :ref:`envoy.filters.network.ext_authz ` for network filter. google.protobuf.Struct dynamic_metadata = 4; }