Open Policy Agent Authorization Manager

As of version 7.3 of the Curity Identity Server it is possible to develop custom Authorization Manager plugins using the Curity Plugin SDK. An Authorization Manager can be configured to handle fine-grained access to several exposed APIs such as the GraphQL APIs for both user management and DCR management. This code example of a custom Authorization Manager leverage Open Policy Agent (OPA) as an external fine-grained authorization engine to obtain authorization for the user management and DCR APIs. The example also showcase the ability to filter data returned by these APIs using Obligations. This example implements the use of the GraphQLObligation.CanReadAttributes interface and redacts specific fields from the payload returned based on the OPA response.

Obligations

The base interface for obligations is the GraphQLObligation. This interface includes a set of nested types:

• BeginOperation
• CanCreateAttributes
• CanDeleteAttributes
• CanReadAttributes
• CanUpdateAttributes

BeginOperation Interface

This obligation is used to enforce authorization at the top-level. This means it's used for a binary authorization decision use case to determine if access should be allowed to an API or not.

The canPerformOperation(Input) method is called before the GraphQL operation is executed. The Input object contains information and description of the operation and will return an ObligationDecisionResult that indicates if access is allowed or denied.

CanReadAttributes Interface

This is the obligation used in this example to filter/redact information returned. It is in this example only applied to a read operation, but the same principle applies to obligations of type create, delete and update. The filterReadAttributes(Input) method returns an instance of ResourceAttributes that represents the data to return. The result returned can

• return original attributes
• return changed/transformed attributes
• fully redact or deny access to specific attributes

This example implements an attribute in the Rego policy used by OPA that indicates what fields should be redacted/filtered in the response.

{
    "result": {
        "allow": true,
        "unauthorized_fields": [
            "name",
            "phoneNumbers"
        ]
    }
}

The overall decision is allow==true but the attribute unauthorized_fields indicates that name and phoneNumbers are not authorized and thus should be removed from the response. The filterReadAttributes(Input) method iterates over the attributes to return and removes them accordingly.

Running the example

The example repository includes a docker-compose file that will start a fully operational environment that can be used to test and explore the OPA Authorization Manager. Instructions for how to build, deploy and test the plugin are available in the README in the code repository.

Summary

Authorization Managers are very useful for handling coarse- and fine-grained authorization of data that is exposed by the DCR and User Management GraphQL APIs. This implemented example handles data that is read but this could easily be implemented for data that is written (creating a user for example) also.