Policies
Axiomatics Authorization Policy
This policy will authorize requests using Axiomatics Policy Server. If the request is not authorized, a 403 response will be returned.
This policy is designed to be highly customizable in order to tailor the
authorization requests to the specific needs of your application. You can add
default attributes on the policy that are included in every request, or you can
programmatically add attributes to the request using the setAuthAttributes
method.
Using this policy in conjunction with an authorization policy will automatically set AttributeSubject attributes for the user in the request.
Beta
This policy is in beta. You can use it today, but it may change in non-backward compatible ways before the final release.
Configuration
The configuration shows how to configure the policy in the 'policies.json' document.
{ "name": "my-axiomatics-authz-inbound-policy", "policyType": "axiomatics-authz-inbound", "handler": { "export": "AxiomaticsAuthZInboundPolicy", "module": "$import(@zuplo/runtime)", "options": { "pdpPassword": "$env(PDP_PASSWORD)", "pdpUrl": "https://pdp.example.com", "pdpUsername": "pdp-user" } } }
Policy Options
The options for this policy are specified below. All properties are optional unless specifically marked as required.
allowUnauthorizedRequests<boolean> -Indicates whether the request should continue if authorization fails. Default isDefaults tofalsewhich means unauthorized users will automatically receive a 403 response.false.pdpUrl<string> (Required) -The URL to which the plugin will make a JSON POST request before proxying the original request.pdpUsername<string> (Required) -The username to use when authenticating with the PDP.pdpPassword<string> (Required) -The password to use when authenticating with the PDP.includeDefaultActionAttributes<boolean> -Indicates whether the plugin should include default action attributes in the authorization request.Defaults totrue.includeDefaultResourceAttributes<boolean> -Indicates whether the plugin should include default resource attributes in the authorization request.Defaults totrue.includeDefaultSubjectAttributes<boolean> -Indicates whether the plugin should include default subject attributes in the authorization request.Defaults totrue.tokenHeaderName<string> -The name of the header that carries the JWT.Defaults to"Authorization".accessSubjectAttributes<object[]> -A list of attributes that will be included in the authorization request.attributeId<string> (Required) -The attribute ID that will be used in the PDP request.value<string> (Required) -The value of the attribute.
resourceAttributes<object[]> -A list of attributes that will be included in the authorization request.attributeId<string> (Required) -The attribute ID that will be used in the PDP request.value<string> (Required) -The value of the attribute.
actionAttributes<object[]> -A list of attributes that will be included in the authorization request.attributeId<string> (Required) -The attribute ID that will be used in the PDP request.value<string> (Required) -The value of the attribute.
Using the Policy
Authorization Attributes#
There are a few different ways authorization attributes are set on the authorization request.
Default Attributes#
By default the policy will set the following attributes on the authorization request:
request.user.sub- (AccessSubject) The subject of the user making the request. Only set if the user is authenticated.request.method- (Action) The HTTP method of the request.request.scheme- (Resource) The scheme of the request URL.request.host- (Resource) The host of the request URL.request.pathname- (Resource) The pathname of the request URL.request.query.*- (Resource) The value of each query parameter in the request URL. For example?foo=bazwould setrequest.query.foo=baz.request.params.*- (Resource) The value of each path parameter in the request URL. For example the route pattern/accounts/:idwould setrequest.params.accounts=value.
The default attributes can be disabled by setting the policy options that start
with includeDefault to false, for example
includeDefaultResourceAttributes: false will disable the Resource category
attributes.
Below is an example of the default authorization request.
{ "Request": { "AccessSubject": [ { "Attribute": [ { "AttributeId": "request.user.sub", "Value": "nate" } ] } ], "Action": [ { "Attribute": [ { "AttributeId": "request.method", "Value": "GET" } ] } ], "Resource": [ { "Attribute": [ { "AttributeId": "request.scheme", "Value": "https" }, { "AttributeId": "request.host", "Value": "my-api-main-bdeec51.d2.zuplo.dev" }, { "AttributeId": "request.pathname", "Value": "/test" }, { "AttributeId": "request.params.id", "Value": "123" }, { "AttributeId": "request.query.param", "Value": "1" } ] } ] } }
Hard Coded Attributes#
In some cases it cane be useful to set hard coded attributes on the policy itself. On case for this might be to set the environment the API is running in so that different policies can be applied to say a staging or development environment.
An example of how you could set the custom.environment attribute to an
environment variable is shown below.
"resourceAttributes": [ { "attributeId": "custom.environment", "value": "$env(CUSTOM_ENVIRONMENT)" } ]
Programmatically Setting Attributes#
For the more robust customization of the authorization request, you can set authorization attributes programmatically. This is done by running a custom inbound policy before the authorization policy. The custom policy can set any attribute on the authorization request.
Below is an example of how you could set the custom.resourceId attribute to
the value of a property in the request body.
import { ZuploContext, ZuploRequest, AxiomaticsAuthZInboundPolicy, } from "@zuplo/runtime"; export default async function policy( request: ZuploRequest, context: ZuploContext, options: MyPolicyOptionsType, policyName: string ) { // Get the body of the request const body = await request.json(); // Set the custom attribute AxiomaticsAuthZInboundPolicy.setAuthAttributes(context, { Resource: [ { Attribute: [ { AttributeId: "custom.recordId", Value: body.recordId, }, ], }, ], }); return request; }
Read more about how policies work