search

ory / hydra

The most scalable and customizable OpenID Certified™ OpenID Connect and OAuth Provider on the market. Become an OpenID Connect and OAuth2 Provider over night. Broad support for related RFCs. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=hydra
Apache License 2.0
15.61k stars 1.5k forks source link

warden: check against multiple policies #264

Closed waynerobinson closed 6 years ago

waynerobinson commented 8 years ago

Request round-trip times can be annoying and not all permission checks are for single resources.

It would be nice to be able to include multiple token/allowed requests in a single call.

aeneasr commented 8 years ago

Good idea regarding policies, but do you really need to check for multiple tokens per request?

waynerobinson commented 8 years ago

Nope. One token is fine, as is a simplified response that basically includes an OK/Fail for each check.

On Friday, 23 September 2016, Aeneas notifications@github.com wrote:

Good idea regarding policies, but do you really need to checking for multiple tokens per request?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/ory-am/hydra/issues/264#issuecomment-249108865, or mute the thread https://github.com/notifications/unsubscribe-auth/AAG4pswiVOHGfIu8e7DWRZmpNrtM-vZ0ks5qs2k6gaJpZM4KEg3t .

aeneasr commented 8 years ago

ok, what would the default behaviour be, allow access if one of the resources is allowed? what if one policy explicitly is set to deny?

waynerobinson commented 8 years ago

One result per resource/action check in an array.

On Friday, 23 September 2016, Aeneas notifications@github.com wrote:

ok, what would the default behaviour be, allow access if one of the resources is allowed? what if one policy explicitly is set to deny?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/ory-am/hydra/issues/264#issuecomment-249110367, or mute the thread https://github.com/notifications/unsubscribe-auth/AAG4pgcUX6GgtD6rJKsVgHvFB1QobmOtks5qs2wwgaJpZM4KEg3t .

aeneasr commented 8 years ago

That makes sense!

aeneasr commented 7 years ago

@waynerobinson is this something you want for the stable release, or is it more like a "nice to have"?

waynerobinson commented 7 years ago

No, this is just a nice to have for now. We can make do without. We're still working through the best way to get Warden to work in our app and we can always build our client interface to be easily upgradable to be able to request multiple policies later.

aeneasr commented 7 years ago

Thanks for the quick response. I'm sorting out priorities for the stable release of Hydra and wanted to check with you if it's something you want included there. From what you said I take it as a low prio :)

theflyingcoder commented 7 years ago

it looks like we may have a need for this and i'm looking into how best to implement this. let me know if you guys have any concern/suggestions.

joshuarubin commented 7 years ago

This would be hugely beneficial for us as well. Right now we have to loop through several possible actions and check with warden for each of them for a single request to our api.

aeneasr commented 6 years ago

This is now an upstream at https://github.com/ory/keto/issues/15