Authorino is a Kubernetes-native authorization service designed to protect APIs through external authorization enforcement with Envoy Proxy. Written in Go, it functions as a lightweight external authorization server that is fully manageable via Kubernetes Custom Resources, eliminating the need for application code changes or rebuilds to implement authentication and authorization policies.
The service implements Envoy Proxy's external authorization gRPC protocol and is part of the Red Hat Kuadrant architecture. It operates on Kubernetes Custom Resource Definitions and the Operator pattern, allowing users to define authorization policies through an AuthConfig custom resource. Authorino supports multiple authentication methods including JWT authentication, API keys, mutual TLS, Kubernetes service account tokens, and integrates with external identity providers through OpenID Connect Discovery.
For authorization, Authorino provides pattern-matching rules against JSON data structures, Open Policy Agent Rego policies, and Kubernetes RBAC enforcement through the SubjectAccessReview API. The service can fetch additional metadata from external sources during the authorization process and supports injecting authentication data back into requests via HTTP headers, Wristband tokens, and rate-limit metadata. It can also function as a ValidatingWebhook service for Kubernetes control plane protection.
The authentication and authorization workflow follows a multi-phase pipeline. When a request arrives at the Envoy ingress, Authorino performs identity verification through at least one authentication method, optionally fetches external metadata, evaluates user-defined authorization policies against a composed JSON object containing context data and identity information, and returns either approval or denial along with optional dynamic metadata.
GitGenius activity data shows the repository maintains active development with 54 tracked issues and pull requests. The most active contributor is guicassolato with 74 events, followed by KevFan with 21 events and alexsnaps with 16 events. Enhancement requests represent the most common issue type with 15 tracked items, while good first issue labels appear on 12 items, indicating an accessible entry point for new contributors. API-related issues are the third most active category with 10 items. The median response latency for issues and pull requests is zero hours, though the mean extends to 3319.8 hours, suggesting some items receive immediate attention while others may have longer resolution timelines.
The repository connects to related Kuadrant projects including kuadrant-operator and mcp-gateway through overlapping contributors, as well as to knative/eventing. The service is designed as multi-tenant and cloud-native, supporting hybrid API security models where organizations can combine their preferred authentication standards and authorization policies without requiring application modifications. Deployment can follow various topologies including centralized gateways, centralized authorization services, or sidecar patterns depending on organizational needs.