CodersSecret

Module 7 of 8

Authorization Policy, Headers, and Product Boundaries

Forward trusted identity context without letting products trust spoofed headers.

95 minutes1 exercisesFree
Watch as Slides Course overviewInline lab below

Start here

Learning objectives

  • Design trusted identity headers after Envoy validation
  • Remove client-supplied identity headers before forwarding
  • Choose route-level, product-level, and data-level authorization boundaries
  • Avoid turning Envoy policy into an unmaintainable product database
Authorization Policy, Headers, and Product Boundaries A central Envoy edge checks identity before traffic reaches product services. Claims browser or service Envoy enforcement point Headers IdP or policy service when needed Service Kubernetes app Authenticate once, validate every request, authorize before forwarding.

The Identity Contract

After Envoy validates a token or receives an allow decision from the auth service, products need a consistent way to know who is calling. A common pattern is to remove unsafe client headers and add platform-owned headers such as user ID, service ID, tenant, roles, and request ID.

Header Hygiene Example

This example shows the idea: remove sensitive raw inputs and write verified context. Exact formatter support and metadata names depend on your Envoy version and filter configuration, so treat this as a design pattern and test it in your environment.

request_headers_to_add:
- header:
    key: x-platform-user
    value: "%DYNAMIC_METADATA(envoy.filters.http.jwt_authn:verified_jwt.sub)%"
  append_action: OVERWRITE_IF_EXISTS_OR_ADD
- header:
    key: x-platform-tenant
    value: "%DYNAMIC_METADATA(envoy.filters.http.jwt_authn:verified_jwt.tenant)%"
  append_action: OVERWRITE_IF_EXISTS_OR_ADD
request_headers_to_remove:
- authorization
- cookie

Three Authorization Layers

LayerExample decisionOwner
Route-levelCan this identity reach the data explorer product?Envoy plus central auth service
Product-levelCan this user edit this dashboard?Product service
Data-levelCan this user read this governed dataset?Data policy service or product domain logic

Why Product Boundaries Matter

Envoy sees requests and headers. It does not naturally understand every business object. If you put every permission rule in the gateway, the gateway becomes a hidden product database. Use Envoy for common gates and product services for domain-specific checks.

Audit Context

Every allowed and denied request should be traceable. At minimum, capture request ID, route, user or service identity, tenant, issuer, audience, policy name, decision, and decision latency.

Real world

Where this shows up

  • A Kubernetes platform with many internal products that should share one login and one enforcement layer
  • Developer portals, data tools, admin consoles, APIs, and service-to-service calls protected at the edge
  • Migration from product-specific auth logic to centralized policy checks without rewriting every product first

Production notes

Keep these close

  • Sign or protect internal traffic so downstream services cannot be called directly with fake headers
  • Document the identity header contract and version it when claims change
  • Add integration tests that prove spoofed headers are removed

Common mistakes

What usually breaks

  • Allowing clients to send x-user-id directly
  • Putting every object permission in gateway config
  • Changing identity header names without coordinating product teams

Security risks

Threats to watch

  • Header spoofing can bypass authorization if products trust client input
  • Direct service access can bypass Envoy unless network policy blocks it
  • Overly broad roles can become permanent platform admin shortcuts

Tradeoffs

Design choices you should be able to defend

Headers as identity context

Pros

  • Simple for products
  • Works with many languages and frameworks
  • Easy to observe

Cons

  • Must prevent spoofing
  • Header contract changes need coordination

Products parse tokens themselves

Pros

  • Products can inspect full claims
  • Less header contract design

Cons

  • Duplicated validation logic
  • Higher risk of inconsistent issuer or audience checks

Think like an engineer

Questions to answer before shipping

  • Which identity is making the request: a human, a service, or a federated cloud principal?
  • Which check belongs at Envoy, and which check must remain inside the product domain model?
  • What happens when the identity provider, JWKS endpoint, or auth service is slow or unavailable?

Key terms

Vocabulary used in this module

Identity contract

The agreed format products use to receive verified identity context from the platform.

Header spoofing

Sending a fake identity header directly from a client or bypass path.

Route-level authorization

A decision about whether an identity can reach a product route.

Domain authorization

A decision based on product-owned data and business rules.

Exercises

Practice inside the lesson

60-90 minutesProduction grade

Design the Identity Header Contract

Create a safe identity context contract between Envoy and product services.

  1. Choose three trusted headers products may read
  2. Choose which incoming headers Envoy must remove
  3. Write route-level decisions for three products
  4. Write one product-level decision that should stay inside a service
  5. Write the audit fields needed for allow and deny decisions

Recap

Key takeaways

  • Products should trust only headers written by Envoy or the platform layer
  • Envoy policy is best for shared route and identity checks
  • Product-specific authorization should remain near the data and domain model

Related resources

Keep learning across CodersSecret

Related guides

Read practical engineering walkthroughs that connect this lesson to real systems.

Cheatsheets

Keep command references and production checklists close while you practice.

Interactive labs

Practice infrastructure decisions through short, scenario-driven exercises.

Glossary terms

Build the vocabulary needed to explain architecture clearly in reviews.