/api-fga-auth0-opa

Demo fine-grained authorization for a multi-tenanted API using Auth0 and OPA.

Primary LanguageOpen Policy Agent

Auth0 & Open Policy Agent (OPA) for Fine Grained API Authorization

Motivation

  • Real world authorization policies and the associated metadata required to arrive at an authorization decision can be complex and extremely varied (snowflake) from org to org.
  • Auth0 can help with API authorization via a combination of Rules, Roles & Permissions. This can be called as Coarse Grained Authorization (CGA).
  • However, when policies are/can become fine grained, it is advisable to externalize Fine Grained Authorization (FGA) to an org-wide centralized service for cleaner design, flexibility, scalability, CI/CD, and overall better management.
  • OPA can be the building block for such a service (FGAaaS) by serving as a centralized general purpose Policy Decision Point.
  • This repository covers a sample application to demonstrate this pattern for a Multi-tenant API.

Solution Flow

  1. Client app acquires an Auth0 issued access_token on behalf of the authenticated user

    • The standard Authorization Code Flow can be used here.
      • This flow is not relevant to the authorization logic or decision and hence isn't covered here.
    • The access_token can be decorated with custom claims using Auth0 Rules.
      • The only custom claim in use in this solution is http://example.com/authn_loa which indicates the Level of Assurance of the Authentication mechanism used while authenticating the user.

  2. Client app makes an API call with the access_token.

    • HTTP-METHOD /api/v1/:tenant/:resource
    • e.g. GET /api/v1/cocacola/content_route
    • Authorization: Bearer access_token

  3. API code then requests OPA for an Authorization Decision

    • Here we can either use a middleware like this for Spring or this for Node. This repo uses the one for Node.
    • The middleware auto prepares input JSON which includes relevant request context.
    • It then makes a call to OPA for want of an authorization decision.

  4. OPA computes the authorization decision

    • OPA decodes the access_token and extracts user_id and authn_loa from the sub and http://example.com/authn_loa claims respectively.
    • Using all the info OPA then computes the authorization decision and responds to the API.

  5. API honours the decision and allows/denies the request.

Running the Sample

  1. Clone this repo

    git clone https://github.com/jatinvaidya/api-fga-auth0-opa.git

  2. Change to repo folder

    cd api-fga-auth0-opa

  3. Create app/.env and api/.env files referring to the respective .env.sample files.

  4. Start api and opa containers

    docker-compose up

  5. Feed policy and data to OPA

    cd opa

    curl --request PUT --url http://localhost:8181/v1/policies/example --data-binary @policy.rego

    curl --request PUT --url http://localhost:8181/v1/data/example --data-binary @data.json

  6. Run the test app with some arguments and check results. See examples below.

    docker run --net fga-network fga-demo/app-image:latest --username admin01@example.com --password Mju76yhn --tenant cocacola --resource vpc --action GET

    docker run --net fga-network fga-demo/app-image:latest --username user01@example.com --password Mju76yhn --tenant cocacola --resource vpc --action DELETE