[Feature]: Implement Envoy External Authorization Server for GitHub Token Validation #19
Description
Problem Statement
The Directory proxy needs to validate GitHub OAuth tokens at the edge before forwarding requests to backend services. Without a dedicated authorization service, each backend would need to implement its own token validation logic, leading to inconsistent security enforcement and duplicated code. Additionally, allowing any authenticated GitHub user to access Directory federation creates a security risk—access should be restricted to a specific list of allowed users.
Proposed Solution
Before implementing a custom solution, investigate existing open-source tools that provide Envoy external authorization with GitHub OAuth support (oauth2-proxy, envoy OAuth2 filter).
If existing solutions don't fit the architecture, create a custom gRPC service implementing Envoy's ext_authz API (envoy.service.auth.v3.Authorization). The service extracts Bearer tokens from incoming requests, validates them against GitHub's API, applies authorization rules, and returns either an OK response with injected identity headers or an appropriate error status.
Authorization rules should support:
- Allow list: Only users in
user_allow_listare permitted access
Configuration should support environment variables (GITHUB_ALLOWED_USERS). Cache GitHub API responses to reduce rate limiting. Configure Envoy with an ext_authz HTTP filter pointing to this service over gRPC (HTTP/2).
Additionally, investigate whether custom headers containing user identity can be injected into requests forwarded to the Directory backend, enabling audit logging of actions like "GitHub user X pushed record Y".
Alternatives Considered
No response
Additional Context
No response
Checklist
- I have read the contributing guidelines
- I have verified this does not duplicate an existing feature request