Alibaba Cloud Service Mesh (ASM) supports custom external authorization. You can add an authentication process to the communication between services to ensure that only authenticated requests can access key services. This topic uses the httpbin application as an example to describe how to implement custom external authorization.
Prerequisites
- An ASM instance is created. For more information, see Create an ASM instance.
- A Container Service for Kubernetes (ACK) cluster is created. For more information, see Create an ACK managed cluster.
- The ACK cluster is added to the ASM instance. For more information, see Add a cluster to an ASM instance.
External authorization process
- Deploy an external authorization service in the Container Service for Kubernetes (ACK) cluster. This service must comply with the Istio API specifications for custom authentication services and support the HTTP and gRPC protocols.
- Deploy a sample application in the ACK cluster to verify the external authorization feature.
- Define an external authorization service in ASM and associate the service with the external authorization service that you deployed in Step 1. This way, ASM can use the authorization service deployed in Step 1 for authentication.
- Create an authorization policy in ASM, configure an application that requires external authentication, and perform authentication by using the external authorization service that you configured in Step 3.

Step 1: Deploy an external authorization service
Deploy an external authorization service named ext-authz in the ACK cluster to implement
external authentication logic. The external authorization service specifies that only
requests with the x-ext-authz: allow
request header can be authenticated to access the httpbin application.
Step 2: Deploy sample applications
Step 3: Manage the external authorization service
Declare the ext-authz service that you deployed in Step 1 to an ASM instance so that the ASM instance can use the service to authenticate requests.
Step 4: Create an authorization policy
Create an authorization policy to configure the request operation that requires authentication.