An implementation of Envoy External Authorization, focused on delivering authN/Z solutions for Envoy proxy. Compatible with Kubernetes Ingress classes like Project Contour or Istio.

Some of the features it provides:

Transparent login
- Retrieves OAuth2 Access tokens, ID tokens and refresh tokens
- Compatible with any standard OIDC Provider
- Supports PKCE flow (public)
- Logout redirects
Session management
- Session tokens and data are cryptographically verifiable.
- Refreshes expired tokens automatically
Pre and post authorization policies with Open Policy Agent (OPA) policies.
- Allowing fine grained policy rules per request.
- Post authorization token policies (decode JWT and verify claims).