search

Xabaril / Balea

Balea is an authorization framework for ASP.NET Core developers.
Apache License 2.0
246 stars 37 forks source link

Balea as a centralized service #41

Closed msschl closed 3 years ago

msschl commented 3 years ago

Hi,

I've seen this project in the latest ASP.NET Community Standup. As someone pointed out in the questions, it is not always possible to add the configuration for Balea from an SQL database using .AddEntityFrameworkCoreStore. Therefore, it would be nice to have Balea running as a centralized service for example within or next to an identity service, and have other services query the Balea service via HTTP. Also, having some caching strategies integrated would be nice. Something like what IdentityModel.AspNetCore.OAuth2Introspection is doing but just for the permissions, roles, and delegations, ... .

msschl commented 3 years ago

So to clarify, I mean something like this in service A:

services
    .AddBalea(options =>
    {
        options.DefaultClaimTypeMap = new DefaultClaimTypeMap
        {
            RoleClaimType = JwtClaimTypes.Role,
            NameClaimType = JwtClaimTypes.Name,
        };

        options.DefaultClaimTypeMap.AllowedSubjectClaimTypes.Clear();
        options.DefaultClaimTypeMap.AllowedSubjectClaimTypes.Add(JwtClaimTypes.Subject);
    })
    .AddBaleaBackendStore(options =>
    {
        options.BackendAddress = "https://balea.company.xyz";
        options.ApplicationId = "id identifing the service"; // maybe to authorize requests to the balea service, so that permissions, ..., are kept secure and
                                                         // only accessible from a registed service or in your words (application).
        options.ApplicationSecret = "0152b6c7-1544-4b1d-a7e6-d33b53564f91";

        options.EnableCaching = true;
        options.CacheDuration = TimeSpan.FromMinutes(1); // So that not every request to this service has to do a request to balea, i.e. cache for some period of time
    })

Maybe something like this?

lurumad commented 3 years ago

Hi @msschl

First of all sorry for not explain in deep this part yesterday, my fault.

We have already implemented a distributed store. You can see the code here https://github.com/Xabaril/Balea/tree/master/src/Balea.Api.Store

The API Store support cache and retry strategy.

.AddBalea(options =>
{
    options.UnauthorizedFallback = AuthorizationFallbackAction.RedirectToAction("Account", "AccessDenied");
    options.DefaultClaimTypeMap = new DefaultClaimTypeMap
    {
        PermissionClaimType = "permissions"
    };
})
.AddApiStore(cfg =>
{
    cfg.UseApiKey("YynDwPwcxlS6+3gV/p3rCxMGMDDuO+zPc/gI4JA02jU=");
    cfg.UseBaseAddress(new System.Uri("https://baleaserverdev.azurewebsites.net"));
    cfg.UseCache(absoluteExpirationRelativeToNow: TimeSpan.FromSeconds(30));
})

As we told yesterday, the backend store and the admin ui is not open source but of course you can built you own auth server.

You only need to create and ASP.NET Core Api with the Balea EFCore store and expose an endpoint with the required signature by the API Store:

https://github.com/Xabaril/Balea/blob/09d0915e92e2f6cb0111fd0fe12a966be8254b82/src/Balea.Api.Store/ApiRuntimeAuthorizationServerStore.cs#L99

Regards!

msschl commented 3 years ago

Thank you very much. I might have misunderstood that yesterday. However, thanks for the clarification. I will try this out.