1syntax = "proto3";
2
3package envoy.service.auth.v2;
4
5import "envoy/api/v2/core/base.proto";
6import "envoy/service/auth/v2/attribute_context.proto";
7import "envoy/type/http_status.proto";
8
9import "google/rpc/status.proto";
10
11import "udpa/annotations/status.proto";
12import "validate/validate.proto";
13
14option java_package = "io.envoyproxy.envoy.service.auth.v2";
15option java_outer_classname = "ExternalAuthProto";
16option java_multiple_files = true;
17option go_package = "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2;authv2";
18option java_generic_services = true;
19option (udpa.annotations.file_status).package_version_status = FROZEN;
20
21// [#protodoc-title: Authorization Service ]
22
23// The authorization service request messages used by external authorization :ref:`network filter
24// <config_network_filters_ext_authz>` and :ref:`HTTP filter <config_http_filters_ext_authz>`.
25
26// A generic interface for performing authorization check on incoming
27// requests to a networked service.
28service Authorization {
29 // Performs authorization check based on the attributes associated with the
30 // incoming request, and returns status `OK` or not `OK`.
31 rpc Check(CheckRequest) returns (CheckResponse) {
32 }
33}
34
35message CheckRequest {
36 // The request attributes.
37 AttributeContext attributes = 1;
38}
39
40// HTTP attributes for a denied response.
41message DeniedHttpResponse {
42 // This field allows the authorization service to send a HTTP response status
43 // code to the downstream client other than 403 (Forbidden).
44 type.HttpStatus status = 1 [(validate.rules).message = {required: true}];
45
46 // This field allows the authorization service to send HTTP response headers
47 // to the downstream client. Note that the `append` field in `HeaderValueOption` defaults to
48 // false when used in this message.
49 repeated api.v2.core.HeaderValueOption headers = 2;
50
51 // This field allows the authorization service to send a response body data
52 // to the downstream client.
53 string body = 3;
54}
55
56// HTTP attributes for an ok response.
57message OkHttpResponse {
58 // HTTP entity headers in addition to the original request headers. This allows the authorization
59 // service to append, to add or to override headers from the original request before
60 // dispatching it to the upstream. Note that the `append` field in `HeaderValueOption` defaults to
61 // false when used in this message. By setting the `append` field to `true`,
62 // the filter will append the correspondent header value to the matched request header.
63 // By leaving `append` as false, the filter will either add a new header, or override an existing
64 // one if there is a match.
65 repeated api.v2.core.HeaderValueOption headers = 2;
66}
67
68// Intended for gRPC and Network Authorization servers `only`.
69message CheckResponse {
70 // Status `OK` allows the request. Any other status indicates the request should be denied.
71 google.rpc.Status status = 1;
72
73 // An message that contains HTTP response attributes. This message is
74 // used when the authorization service needs to send custom responses to the
75 // downstream client or, to modify/add request headers being dispatched to the upstream.
76 oneof http_response {
77 // Supplies http attributes for a denied response.
78 DeniedHttpResponse denied_response = 2;
79
80 // Supplies http attributes for an ok response.
81 OkHttpResponse ok_response = 3;
82 }
83}
View as plain text