XACML Authorization Manager

The Curity Identity Server ships with several Authorization Managers out-of-the-box. As of version 7.3 it is also possible to develop Authorization Managers as plugins.

An Authorization Manager can apply authorization at different levels of granularity.

This is a code example of an Authorization Manager plugin that obtains an authorization decision from an external XACML PDP and applies that decision to the DCR and User Management GraphQL endpoints.

This example includes a fine-grained data filtration use case where specific fields in the requested payload are redacted based on the external policy. This is achieved within the Authorization Manager by leveraging Obligations.

Obligations

The base interface for obligations is the GraphQLObligation. This interface includes a set of nested types:

• BeginOperation
• CanCreateAttributes
• CanDeleteAttributes
• CanReadAttributes
• CanUpdateAttributes

BeginOperation Interface

This obligation is used to enforce authorization at the top-level. This means it's used for a binary authorization decision use case to determine if access should be allowed to an API or not.

The canPerformOperation(Input) method is called before the GraphQL operation is executed. The Input object contains information and description of the operation and will return an ObligationDecisionResult that indicates if access is allowed or denied.

CanReadAttributes Interface

This is the obligation used in this example to filter/redact information returned. It is in this example only applied to a read operation, but the same principle applies to obligations of type create, delete and update. The filterReadAttributes(Input) method returns an instance of ResourceAttributes that represents the data to return. The result returned can

• return original attributes
• return changed/transformed attributes
• fully redact or deny access to specific attributes

This example retrieves what attributes (or fields) to redact from a XACML Obligation returned in the response from the PDP. The payload returned from the PDP contains an overall decision (i.e., Permit) but could also return obligations that are required to be adhered to in order together with the decision. It essentially reads as Permit if you also adhere to these additional obligations. An example XACML response from the PDP:

{
    "Response": [
        {
            "Decision": "Permit",
            "Obligations": [
                {
                    "AttributeAssignment": [
                        {
                            "Value": "false",
                            "DataType": "http://www.w3.org/2001/XMLSchema#boolean",
                            "Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
                            "AttributeId": "phoneNumbers"
                        },
                        {
                            "Value": "false",
                            "DataType": "http://www.w3.org/2001/XMLSchema#boolean",
                            "Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
                            "AttributeId": "name"
                        }
                    ],
                    "Id": "curity-is-access-to-field-allowed"
                }
            ]
        }
    ]
}

In this case two boolean attributes are returned, phoneNumbers and name. The Id of the obligation, curity-is-access-to-field-allowed, indicates that the attribute values define if access to the field should be allowed or not. In the example response above, both attributes hold the value false noting that access is not allowed to these two fields and should therefore be filtered from the API response.

The filterReadAttributes(Input) method iterates over the attributes to return and removes them accordingly.

Running the example

The code example repository includes an open-source version of the AuthzForce XACML PDP for demo and test purposes. Policies are expressed using the ALFA language as these are easier to read but a representation of the policies in the XACML format is also included and are loaded in the PDP when running the PDP for test purposes.

Detailed instructions on building, deploying and testing the plugin are provided in the repo README .

Summary

Custom Authorization Managers can be a powerful plugin used to provide coarse- and fine-grained authorization of the payload returned from both the DCR and User Management GraphQL APIs of the Curity Identity Server. There are several different approaches that could be implemented for this purpose and XACML is just one of them that this example code implements. Other options could be:

• Any other system that implements the XACML standard
• OpenPolicyAgent and Rego policies
• Other custom authorization models