Azure Authorization Service
Objectives
- A single-concern service responsible for application permission/role checking
- Accepts
access_tokenfor caller identity as an Http Header and permission(s) or role(s) as url path params - Returns a yes/no answer for each permission/role requested
- The service does not implement any meaning for permissions or roles
- The calling GUI/Service provides an interpretation for the role/permission
- The service does not provide authorization data management functionality, a separate end-point will address these concerns
Design
- The decision was not to rely on Azure AD user groups to eliminate dependency on IT personnel
- The service is solely responsible for high performance and availability
- The service will leverage Cosmos DB with Core Sql API for high performance and availability
- The owner of the service may decide to implement a caching strategy in case of performance issues detected
- During the transition period from Legacy to SaaS implementation, authorization data will be replicated from the legacy db
End-points
Permissions
The end-point will validate access token before processing the request
Request
Verb: GET
Http Headers:
- x-access-token: the token issued by authentication end-point
- x-correlation-id: optional header for traceability
Path: /permissions/key-1,key2
Response - Success
Status Code: 200 Body:
{
"userId": "user-principal-id",
"correlationId": "UUID",
"timestamp": "date-time"
"permissions": [
{
"key": "key-1",
"isAuthorized" false
},
{
"key": "key-2",
isAuthorized": true
}
]
}Roles
The end-point will validate access token before processing the request
Request
Verb: GET
Http Headers:
- x-access-token: the token issued by authentication end-point
- x-correlation-id: optional header for traceability
Path: /roles/key-1,key2
Response - Success
Status Code: 200 Body:
{
"userId": "user-principal-id",
"correlationId": "UUID",
"timestamp": "date-time"
"roles": [
{
"key": "schedule-pickup",
"isAuthorized": false
},
{
"key": "dispatchers",
"isAuthorized": true
}
]
}Azure Setup
Cosmos DB Setup
- Create Azure Cosmos DB Sql in the same region where plan to deploy the function
- Type a unique name e.g. starting with the organization and the env name e.g.
trgos-poc-authzdb - Networking:
All networks - Finish the creation of the account
Cosmos DB Configuration
- Select
Data Explorerlink - Create new container
RoleswithPartition key:key,Unique Keykey, and new database:authz-data - Add additional collections:
UsersandUserRolesPermissionswithPartition Key:keyandUnique Keykey - Import sample data by selection
Itemsunder corresponding container and selectItemsandUpload Item - For
UserRolesPermissionscontainer configureSettings->Time to Liveto value of300 secs - Navigate to Cosmos DB
Keysto copyURI - Navigate to
Connection String->Read-write Keysand copyURIandPRIMARY KEY
To create Azure Functions
chmod +x ./automation/*
./automation/create-functions.shTo configure Azure Functions:
Configure env vars for the function:
az functionapp config appsettings set --name trgos-authorization \
--resource-group authpoc-resource-group \
--settings "CosmosDbEndpointUri={replace}"
az functionapp config appsettings set --name trgos-authorization \
--resource-group authpoc-resource-group \
--settings "CosmosDbPrimaryKey={replace}"
az functionapp config appsettings set --name trgos-authorization \
--resource-group authpoc-resource-group \
--settings "CosmosDbDatabaseId=authz-data"
az functionapp config appsettings set --name trgos-authorization \
--resource-group authpoc-resource-group \
--settings "RolesContainerId=Roles"
az functionapp config appsettings set --name trgos-authorization \
--resource-group authpoc-resource-group \
--settings "UsersContainerId=Users"
az functionapp config appsettings set --name trgos-authorization \
--resource-group authpoc-resource-group \
--settings "UserRolesPermissionsContainerId=UserRolesPermissions"To deploy Azure Functions
chmod +x ./automation/*
./automation/create-functions.shToDo:
- AuthZ payload timestamp non-standard format!
- unit tests not running on linux
- Should missing
correlationIdgenerate a 400 error?