Skip to content

Enhancement Proposal: ExternalAuthFilter #4156

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 10 commits into from
Closed

Enhancement Proposal: ExternalAuthFilter #4156

wants to merge 10 commits into from

Conversation

@shaun-nx
Copy link
Contributor

Proposed changes

This document proposes a means to integrate with Gateway API GEP-1494.
This defines an standardized API for HTTP Authentication through communication with an External Auth Service.
This service can be an IdP such as Keycloak or AzureAD. It can also be our own deployable Auth Service based on NGINX.

Relates to #4052

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.

NONE

@shaun-nx shaun-nx requested review from a team as code owners October 23, 2025 13:56
@github-actions github-actions bot added the documentation Improvements or additions to documentation label Oct 23, 2025
@codecov
Copy link

codecov bot commented Oct 23, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.97%. Comparing base (5c78a60) to head (4f5a41e).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4156      +/-   ##
==========================================
- Coverage   85.99%   85.97%   -0.03%     
==========================================
  Files         131      131              
  Lines       14063    14063              
  Branches       35       35              
==========================================
- Hits        12093    12090       -3     
- Misses       1770     1772       +2     
- Partials      200      201       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@tataruty
Copy link
Contributor

you haven't added the case when they can co-exist with filter option?

sjberman
sjberman reviewed Oct 23, 2025
View reviewed changes
docs/proposals/external-auth-filter.md
# Enhancement Proposal-4052: External AuthFilter

- Issue: https://github.com/nginx/nginx-gateway-fabric/issues/4052
- Status: Provisional
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reminder: Provisional docs should only have the Goals and non-Goals, no design. This is described in the proposals README.

Once the goals are approved, then we add the design and update to Implementable.

sjberman
sjberman reviewed Oct 23, 2025
View reviewed changes
docs/proposals/external-auth-filter.md Outdated
- As an Application Developer, I want to secure access to my APIs and Backend Applications.
- As an Application Developer, I want to enforce authenticaiton on specific routes and matches.

### Understanding NGINX authentication methods
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These would not apply to the external auth filter, because they are native NGINX capabilities. For external auth, we would use the auth_request module to call out to an external auth server (specifically referring to basic and jwt)

@sjberman sjberman added the enhancement-proposal Enhancement Proposal issue label Oct 23, 2025
@sjberman
Copy link
Collaborator

NGINX native auth and external auth using the Gateway API are two separate features. Is the intention and requirements of the Auth epic to build both of these features, or just the former? I just want to make sure we're not adding scope that wasn't intended.

@shaun-nx
Copy link
Contributor Author

NGINX native auth and external auth using the Gateway API are two separate features. Is the intention and requirements of the Auth epic to build both of these features, or just the former? I just want to make sure we're not adding scope that wasn't intended.

Hey Saylor.
The AuthenticationFilter: Basic Auth epic assumes we are choosing to move forward with our own AuthenticationFilter CRD and not integrate with the ExternalAuthFilter from the GatewayAPI.

To your comment on "NGINX native auth and external auth using the Gateway API are two separate features", this isn't necessarily true.

In the case of NGINX native auth, where we build out our own AuthenticationFilter, this will of course include a spec for enabling and configuring authentication like BasicAuth and JWT.

In the case of external auth using the Gateway API, while a user can choose to reference an external service that isn't using NGINX (e.g. Keycloak), one thing that's covered in this proposal is providing users with a deployable NGINX External Auth Service.

@sjberman
Copy link
Collaborator

The #4056 epic assumes we are choosing to move forward with our own AuthenticationFilter CRD and not integrate with the ExternalAuthFilter from the GatewayAPI.

To your comment on "NGINX native auth and external auth using the Gateway API are two separate features", this isn't necessarily true.

Auth itself could be seen as a "single feature", but as you stated in the first sentence, the epic is only intending to support our custom Auth API for native auth. So if that's all that the requirements are, then why do we need a design right now for integrating with the Gateway API external auth? That is a different scope of work.

ciarams87
ciarams87 reviewed Oct 24, 2025
View reviewed changes
docs/proposals/external-auth-filter.md

[GEP-1494](https://gateway-api.sigs.k8s.io/geps/gep-1494/) defines an API for HTTPRoute to standardize Authentication and Authorization within the Gateway API.

This proposal aim to provider users of the Gateway API with a native form of Authenticaiton through Gateway API's [HTTPExternalAuthFilter](https://gateway-api.sigs.k8s.io/reference/spec/#httpexternalauthfilter)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
This proposal aim to provider users of the Gateway API with a native form of Authenticaiton through Gateway API's [HTTPExternalAuthFilter](https://gateway-api.sigs.k8s.io/reference/spec/#httpexternalauthfilter)
This proposal aim to provider users of the Gateway API with a native form of Authentication through Gateway API's [HTTPExternalAuthFilter](https://gateway-api.sigs.k8s.io/reference/spec/#httpexternalauthfilter)

ciarams87
ciarams87 reviewed Oct 24, 2025
View reviewed changes
docs/proposals/external-auth-filter.md
- Ensure this capability is available only when users enable experimental features in NGF
- Support only [HTTPAuthConfig](https://gateway-api.sigs.k8s.io/reference/spec/#httpauthconfig)
- Provide users with a helm chart to deploy, manage and configure NGINX for Authentication use cases. i.e. the External Service
- Allow users to configure an exteranl IdP such as Keycloak or AzureAD
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Allow users to configure an exteranl IdP such as Keycloak or AzureAD
- Allow users to configure an external IdP such as Keycloak or AzureAD

salonichf5
salonichf5 reviewed Oct 24, 2025
View reviewed changes
docs/proposals/external-auth-filter.md

[GEP-1494](https://gateway-api.sigs.k8s.io/geps/gep-1494/) defines an API for HTTPRoute to standardize Authentication and Authorization within the Gateway API.

This proposal aim to provider users of the Gateway API with a native form of Authenticaiton through Gateway API's [HTTPExternalAuthFilter](https://gateway-api.sigs.k8s.io/reference/spec/#httpexternalauthfilter)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
This proposal aim to provider users of the Gateway API with a native form of Authenticaiton through Gateway API's [HTTPExternalAuthFilter](https://gateway-api.sigs.k8s.io/reference/spec/#httpexternalauthfilter)
This proposal aims to provide users of the Gateway API with a native form of Authenticaiton through Gateway API's [HTTPExternalAuthFilter](https://gateway-api.sigs.k8s.io/reference/spec/#httpexternalauthfilter)

docs/proposals/external-auth-filter.md

## Non-Goals

- Support for [GRPCAuthConfig](https://gateway-api.sigs.k8s.io/reference/spec/#grpcauthconfig)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

layer 4 routes are also out of scope here

@shaun-nx
Copy link
Contributor Author

The #4056 epic assumes we are choosing to move forward with our own AuthenticationFilter CRD and not integrate with the ExternalAuthFilter from the GatewayAPI.

To your comment on "NGINX native auth and external auth using the Gateway API are two separate features", this isn't necessarily true.

Auth itself could be seen as a "single feature", but as you stated in the first sentence, the epic is only intending to support our custom Auth API for native auth. So if that's all that the requirements are, then why do we need a design right now for integrating with the Gateway API external auth? That is a different scope of work.

Sorry, you are right. I could have clarified that better. The reason for making this proposal was so that we could have a conversation around weather or not we wanted to go forward with ExternalAuth over our own AuthenticationFilter.

There were several conversations around the idea that we should use the Gateway API's implementation over making our own CRDs.

I don't personally have a preference either way. I just want to make sure we're having a healthy discussion. Looking back, I realize I could have presented that differently to make that more obvious. Sorry about that 😅

@shaun-nx
Copy link
Contributor Author

Closing this for now.
The decision was made to move forward with our own AuthenticationFilter.
This proposal will be revisited in the future as the ExternalAuth API expands.

@shaun-nx shaun-nx closed this Oct 28, 2025
@github-project-automation github-project-automation bot moved this from 🆕 New to ✅ Done in NGINX Gateway Fabric Oct 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sjberman sjberman sjberman left review comments

@ciarams87 ciarams87 ciarams87 left review comments

@salonichf5 salonichf5 salonichf5 left review comments

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation enhancement-proposal Enhancement Proposal issue

Projects

NGINX Gateway Fabric
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@shaun-nx @tataruty @sjberman @ciarams87 @salonichf5