Gateway Authorization mechanisms

Owned by Dave Trier
Nov 10, 2022
3 min read

Authorization

Gateway provides different mechanisms to manage authorization in secured environments. One of the most effective and powerful methods is secured endpoints allowing MOC administrators restricting access to internal MOC endpoints through configuration properties at the Gateway.

Securing endpoints through the gateway

This configuration requires two components:

  1. Rule base authorities

  2. Protected endpoints.

1- Rule base authorities:

Allow mappings between OAuth2 token claims and Granted Authorities.

These rules are defined under:

oauth2: resource-server: authorization: rule-based-authorities:

Each rule is defined by:

- authority-name: GrantedAuthorityNameToBeAssigned claim-value-condition: claims: token_claim_name_one,token_claim_name_two values: expected_value_one,expected_value_two

Which can be translated to:

If token claims contains any of the next keys: token_claim_name_one OR token_claim_name_two, and the value equals any of expected_value_one OR expected_value_two then request will get GrantedAuthorityNameToBeAssigned as Granted Authority.

 

Sample configurations:

oauth2: resource-server: authorization: rule-based-authorities: - authority-name: modelopEngineOnlyModelManage claim-value-condition: claims: user_id,client_id values: model-manage - authority-name: modelopEngineOnlyModelManageAndMlc claim-value-condition: claims: user_id,client_id values: model-manage,mlc-service - authority-name: modelop-monitor claim-value-condition: claims: user_id,client_id values: model-manage,mlc-service

 

If Gateway receives a token containing any of the predefined rules, then that user will get the authority-name added as granted authority.

As an example:

Using the above configurations and receiving a token with the next claims:

 

The resulting Granted authorities will be:

 

2- Protected endpoints

These protected endpoints are defined under:

Each protected endpoint is defined by:

 

Sample configurations:

 

Example 1:

Using the above configurations and receiving a token that generates the next granted authorities:

Result:

The request will be able to access all endpoints.

 

Example 2:

Using the above configurations and receiving a token that generates the next granted authorities:

Result:

The request wont be able to access: /engine-protected-modelop-test/api/roundtrip/0/1 , but will be able to access: /engine-protected-modelop-**/api/roundtrip/0/1

Â