Skip to main content

Authorization

Description

The gateway can apply authorization rules to incoming requests. This entry defines a list of matching requests, rules and actions to perform if matches are found. The rules can be either:

  • Defined directly here in an entry.
  • Defined in the authorization section and reference by name here in an entry.

This entry defines authorization rules directly. There are also two pre-defined rules which can be used:

  • "anyuser" : Which allows access to any user, even if they are not authenticated.
  • "anyauth" : Which allows access to any authenticated user.

Properties

The following table(s) describe the configuration properties for this component:

Name Type Constraints Description
paths array[string] The paths which this policy will be applied. Each path may contain the '*?' pattern matching characters. This entry is an array and can be used to specify multiple paths.
host string The host (obtained from the host header in the request) for which this policy will be applied. If no host header is specified all hosts will be matched.
name string A name for this policy, which is used to refer to this policy in audit events.
action string Values: permit,deny,obligate Defines the action to perform if the rule matches. If the action is obligate, the obligation property must also be set for this authorization rule.
obligation OBLIGATION Object
rule string If a rule string is not defined here, the gateway will look for a named rule (with the same name as this policy) in the authorization section of the configuration YAML. Refer to the authorization section of this template for an explanation of rule syntax. The predefined rules anyuser or anyauth can also be referenced here.
methods array[string] The method(s) which this policy applies to. If this is not defined, the policy will apply to all methods.

OBLIGATION Object

If the action for this rule is obligate, this obligation must be defined to indicate that authentication should take place again with specific parameters.

Name Type Constraints Description
oidc OIDC Object

OIDC Object

Authentication parameters which can be used when using an OIDC identity scenario. These parameters are passed as query string parameters when the authorization endpoint is requested.

Name Type Constraints Description
acr_values string A string of ACR (Authentication Context Class References) to pass to the identity provider. Refer to "acr_values" in section 3.1.2 of the OpenID Connect Core specification for further information.
Valid ACRs are defined by the identity provider. Refer to your identity provider for further information about the ACRs which it supports.
prompt string A string of prompt options to pass to the identity provider. Refer to "prompt" in section 3.1.2 of the OpenID Connect Core specification for further information.
Prompt options are optional and may not be supported by all identity providers. Refer to your identity provider for further information about support prompt values.

Example

 policies:
         authorization:
             - name: policyA
               host: www.test.com
               paths: 
                 - /test*
               methods: 
                   - GET
                   - POST
               rule: (any groupIds = "administrator")
               action:permit
             - name: policyB
               host: www.example.com
               paths: 
                 - /example*
               methods:
                   - DELETE
               rule: anyuser
               action: deny
               obligation:
                 oidc:
                   acr_values: "administrator mfa"
                   prompt: login