Composite TIA Plugin
Combine multiple Token Issuance Authorizers and apply them together to the same scope.
Use Cases#
A scope can only be assigned one TIA plugin, but some real-world rules need to be expressed as the combination of several independent checks. The Composite TIA plugin lets you group an ordered list of child TIAs into a single authorizer and assign that group to a scope.
Process#
When the server requests a decision for a scope, the composite calls each child TIA in the configured order, passing
the scopes the child still needs to evaluate. After each child returns, scopes for which the child returned a Deny
decision are removed from the set passed to subsequent children — this avoids unnecessary work, which is particularly
useful when one of the children is an external call (e.g. the AuthZen TIA delegating to a PDP).
The decisions produced by every child are kept and applied together. The server resolves combinations as follows:
- if any child denies a scope, the scope is denied;
- if a child requires user consent for a scope, the scope requires user consent (other decisions for the same scope from sibling children are still applied alongside);
- if multiple children set a scope time-to-live, the smallest time-to-live wins;
- otherwise the scope is allowed.
A composite TIA can reference other composite TIAs as its children, so authorization bundles can themselves be reused inside larger bundles.
Direct self-reference (a composite listing itself as a child) is rejected when the configuration is saved.
Indirect cycles (A → B → A, A → B → C → A, …) are also rejected at commit time, before the configuration is
loaded by the server.
Configuration#
The Composite TIA plugin has a single configuration option:
token-issuance-authorizer— an ordered list of references to other TIA plugins configured in the same profile. The list must contain at least one entry. Children are invoked in the order they appear, which controls when the short-circuit onDenytakes effect but does not change the final decision.