A cloud native Identity & Access Proxy / API (IAP) and Access Control Decision API that authenticates, authorizes, and mutates incoming HTTP(s) requests. Inspired by the BeyondCorp / Zero Trust white paper. Written in Go.
There are external autorization services like open policy agent and OpenFGA which don't response with HTTP 403 on authorization failure. Instead they return json value indicating the result of authorization - {"result": true} and {"allowed": true} for OPA and OpenFGA correspondingly.
In this case we need to check the response body to determine if the request is authorized or not.
There is related issue #1125
Goals and non-goals
Deny or allow request based on the particular response json body value in case response status is 200
Backward compatible with existing configuration
The design
New configuration key will be added under remote_json authorizer - match_json_field as object with following properties:
field : json field selector (gjson) to match
str_val : string value to match
bool_val : boolean value to match
If that key is specified in authorizaer configuration and reponse HTTP status is 200 it will try to parse the response body as json, extract the field value using gjson selector and compare it with the provided value.
In this case authorization passed only if the field exists and equals with value of proper type.
From my point of view gjson selector is better here than just simple parse json and get the field because beyond those mentioned external authorization service there may be other which put the result in nested structure like {"result":{"status": "ok"}} and selector gives there more flexibility. And gjson is already used in the codebase.
Preflight checklist
Ory Network Project
No response
Context and scope
There are external autorization services like open policy agent and OpenFGA which don't response with HTTP 403 on authorization failure. Instead they return json value indicating the result of authorization -
{"result": true}and{"allowed": true}for OPA and OpenFGA correspondingly.In this case we need to check the response body to determine if the request is authorized or not.
There is related issue #1125
Goals and non-goals
The design
New configuration key will be added under
remote_jsonauthorizer -match_json_fieldas object with following properties:field: json field selector (gjson) to matchstr_val: string value to matchbool_val: boolean value to matchIf that key is specified in authorizaer configuration and reponse HTTP status is 200 it will try to parse the response body as json, extract the field value using gjson selector and compare it with the provided value. In this case authorization passed only if the field exists and equals with value of proper type.
From my point of view gjson selector is better here than just simple parse json and get the field because beyond those mentioned external authorization service there may be other which put the result in nested structure like
{"result":{"status": "ok"}}and selector gives there more flexibility. And gjson is already used in the codebase.APIs
No response
Data storage
No response
Code and pseudo-code
No response
Degree of constraint
No response
Alternatives considered
No response