Feature/authz external

[malud]

fixes #873

working branch

---

Reviewer checklist

• Read PR description: a summary about the changes is required
• Changelog updated
• Documentation: docs/{Reference, Cli, ...}, Docker and cli help/usage
• Pulled branch, manually tested
• Verified requirements are met
• Reviewed the code
• Reviewed the related tests

[johakoch]

@malud Can you implement the local(s) handling mentioned in #873?

[Copilot]

Pull Request Overview

This PR introduces external authorization support (authz_external) as a new access control mechanism. The implementation adds a new configuration block type that allows configuring external authorization services, including OpenFGA integration.

Key changes:

• Added authz_external configuration block with OpenFGA support
• Integrated the new authorization type into the access control pipeline
• Refactored variable naming for improved clarity (e.g., helper → confHelper, absolutizePaths → resolveAbsolutePaths)

Reviewed Changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
config/definitions.go	Added AuthZExternal field to Definitions struct
config/ac_authz_external.go	New file defining AuthZExternal and OpenFGA configuration structures
accesscontrol/authz/external.go	New file implementing External authorization control with placeholder logic
config/runtime/server.go	Integrated authz_external into access control configuration
config/configload/load.go	Updated to use renamed variables (confHelper, resolveAbsolutePaths)
config/configload/helper.go	Added authz_external to AC backends and definitions map, refactored error declarations
accesscontrol/ac.go	Fixed error handling using errors.As instead of type assertion

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The NewExternal function always returns nil error but validates that origin is required in the Validate method. If origin is a required parameter, validation should occur during construction in NewExternal to fail fast, or the function signature should not return an error if it never fails.

[Copilot]

Passing nil for the origin parameter will cause Validate to always fail with 'origin required' error. The origin should be properly initialized from the backend configuration rather than passing nil.

Suggested change

	authZExt, err := authz.NewExternal(nil, false)
	authZExt, err := authz.NewExternal(authZExternal.Origin, false)

[Copilot]

The Validate method contains a panic statement that will crash the application if called. This should either be removed if this is work-in-progress code, or replaced with a proper error return until implementation is complete.

Suggested change

	panic("implement me")
	return errors.AccessControl.Message("not implemented")

[Copilot]

The clientRequest and authContext types are defined but never used in the code. These should either be utilized in the implementation or removed to avoid dead code.

Suggested change

	type clientRequest struct {
	Method string
	URL string
	Header http.Header
	}
	type authContext struct {
	Source any // previous hop
	Destination any // target backend (origin)
	ClientRequest clientRequest // simplified form / serialized
	Route any
	Metadata any // user / hcl provided
	MetadataTLS any // tls conn infos / opt in
	}