Gateway Authorization mechanisms

Authorization

Gateway provides different mechanisms to manage authorization in secured environments. One of the most effective and powerful methods is secured endpoints allowing MOC administrators restricting access to internal MOC endpoints through configuration properties at the Gateway.

Securing endpoints through the gateway

This configuration requires two components:

Rule base authorities
Protected endpoints.

1- Rule base authorities:

Allow mappings between OAuth2 token claims and Granted Authorities.

These rules are defined under:

 oauth2:
  resource-server:
    authorization:
      rule-based-authorities:

Each rule is defined by:

- authority-name: GrantedAuthorityNameToBeAssigned
    claim-value-condition:
        claims: token_claim_name_one,token_claim_name_two
        values: expected_value_one,expected_value_two

Which can be translated to:

IF token contains a claim named token_claim_name_one OR token_claim_name_two
AND any of these claims have a value equal to expected_value_one OR expected_value_two
THEN request will have a Granted Authority named GrantedAuthorityNameToBeAssigned.

Sample configurations:

oauth2:
  resource-server:
    authorization:
      rule-based-authorities:
        - authority-name: modelopEngineOnlyModelManage
          claim-value-condition:
            claims: user_id,client_id
            values: model-manage
        - authority-name: modelopEngineOnlyModelManageAndMlc
          claim-value-condition:
            claims: user_id,client_id
            values: model-manage,mlc-service
        - authority-name: modelop-monitor
          claim-value-condition:
            claims: user_id,client_id
            values: model-manage,mlc-service

If Gateway receives a token containing any of the predefined rules, then that user will get the authority-name added as granted authority.

As an example:

Using the above configurations and receiving a token with the next claims:

Every rule based authority will be granted because a client_id claim is present and equal to model-manage, causing the token to match each claim value condition. Hence, this token receives the following Granted Authorities.

2- Protected endpoints

These protected endpoints are defined as a list of objects under gateway.security.protectedEndpoints:

Pay special attention to the syntax and alignment when working with YAML object lists. Inline JSON-style syntax can be used if preferable.

Sample configurations:

Example 1:

Using the above configurations and receiving a token that generates the next granted authorities:

Result:

The request will be able to access all endpoints because they require the modelopEngineOnlyModelManage and modelopEngineOnlyModelManageAndMlc authorities for access, both of which have been granted to the client.

Example 2:

Using the above configurations and receiving a token that generates the next granted authorities:

Result:

The request will be able to access the endpoint /engine-protected-modelop-test/api/roundtrip/0/1, but will not be able to access any other endpoints such as: /engine-protected-modelop-dev/api/roundtrip/0/1. The wildcard path pattern /engine-protected-modelop-**/api/roundtrip/0/1 would match the path /engine-protected-modelop-test/api/roundtrip/0/1, but because the more specific matcher is first in the list, it has precedence over the less specific matcher after it.