PDPs: https://github.com/openid/authzen/blob/main/interop/authzen-todo-backend/src/pdps.json
A prototype Authorization Manager written in Java using an external OpenID AuthZEN) authorization engine also known as a Policy Decision Point (PDP) for authorization.
Note: The plugin requires at least version 7.3 of the Curity Identity Server.
The Curity Identity Server can leverage Authorization Managers to control access to exposed GraphQL APIs for DCR and User Management. Authorization Managers can be custom built using the Curity Java Plugin SDK. This is an example of a custom Authorization manager that acts as a Policy Enforcement Point (PEP) in an OpenID AuthZEN architecture. The OpenID AuthZEN Authorization Manager sends a JSON formatted request to a configured PDP that holds a policy. The PDP responds with a decision. The OpenID AuthZEN Authorization Manager handles the response and allows/denies access to the requested resource.
Build the plugin by issuing the command mvn package
. This will produce a JAR file in the target/authzen-authorization-manager
directory, which can be installed.
To install the plugin, copy the compiled JAR (and all of its dependencies) from target/authzen-authorization-manager
into ${IDSVR_HOME}/usr/share/plugins/${pluginGroup}
on each node, including the admin node.
For more information about installing plugins, refer to the Plugin Installation section of the Documentation.
For a list of the dependencies and their versions, run mvn dependency:list
. Ensure that all of these are installed in the plugin group; otherwise, they will not be accessible to this plug-in and run-time errors will result.
The plugin needs an HttpClient, host, port and path configured in order to communicate with the OpenID AuthZEN PDP.
Name | Type | Description | Example | Default |
---|---|---|---|---|
HttpClient |
String | The ID of the HttpClient that the Authorization Manager will use to call the OpenID AuthZEN PDP. | authzen-http-client |
|
PDP Host |
String | The hostname of the OpenID AuthZEN PDP. | authzen-pdp.example.com |
localhost |
PDP Port |
String | The port that the OpenID AuthZEN PDP is exposing its service on. | 8443 |
443 |
PDP Path |
String | The path of the OpenID AuthZEN PDP that accepts authorization requests. | /pdp |
/access/v1/evaluation |
When committed, the Authorization Manager is available to be used throughout the Curity Identity Server.
In order to protect the DCR GraphQL API the Authorization Manager needs to be added to the Token Service Profile. Navigate to Token Service
-> General
, in the drop-down for Authorization Manager, choose the newly created Authorization Manager.
In order to protect the User Management GraphQL API the Authorization Manager needs to be added to the User Management Profile. Navigate to User Management
-> General
, in the drop-down for Authorization Manager, choose the newly created Authorization Manager.
The example request below is what the OpenID AuthZEN Authorization manager sends to the PDP.
POST /services/pdp HTTP/1.1
Host: localhost:443
Content-Type: application/+json
{
"subject": {
"type": "user",
"id": "alice"
},
"resource": {
"type": "api",
"id": "user-management"
},
"action": {
"name": "can_read",
"properties": {
"method": "POST"
}
}
}
The response from the PDP is very simple and just denotes true
or false
if access is granted or not.
{"decision":false}
- Please visit curity.io for more information about the Curity Identity Server
- OpenID AuthZEN Working Group)
- Curity Identity Server GraphQL APIs
- User Management with GraphQL
- Authorizing Access to User Data
Copyright (C) 2024 Curity AB.