independentid
commented
6 months ago In order to keep the semantics of members simple, recommend moving the type logic down to conditions since most apps rarely accept multiple types (e.g. basic and jwt) at the same time. Based on this, what subjects does is match the authenticated subject quickly to decide whether to process extended authentication infomation that may be part of conditions. Recommend subjects have the following variations:
- User:
- e.g. User:phil.hunt@hexa.org - Domain:hexa.org - assumes email subject identifier names and matches phil.hunt@hexa.org
- Role:bankcustomer - matches an asserted role (e.g. from JWT token)
To test if a subject was authenticated by JWT with a particular issuer and aud (above example):
subject.type eq "jwt" and subject.iss eq "testIssuer" and "testAudience" in subject.aud
OPA Rego currently assumes SubjectInfo has "type", "provider" and other configuration variables.
Current IDQL subjectInfo just has "members: []string". This means we have to use an encoded member value. E.g.
In OPA we want to express multiple authentication types including Basic and JWT. In the case of JWT we need to include params like issuer and audience.
The other issue is how to express specific users within a type. Do we prefix every user with type:jwt:.... or break the rules a bit and express as above where "basicbob" is allowed if authenticated via JWT.
Note: this is a quasi bug as current members won't be handled properly without changes to OPA provider and/or rego.