Skip to main content
Version: 8.x (Current)

Authorization service

This service can be added to your project by visiting Mia-Platform Marketplace and creating a new microservice from the Authorization Service plugin.

Configuration

The configuration is saved in the auth.json file, which is generated from the backend and visible as read-only. One way to overwrite the configuration is editing the service advanced configuration. The configuration must follow this schema:

{
"definitions": {
"authorization": {
"type": "object",
"properties": {
"expression": {
"type": "string"
},
"public": {
"type": "boolean"
}
},
"required": [
"expression",
"public"
]
}
},
"type": "object",
"patternProperties": {
"^\/": {
"type": "object",
"patternProperties": {
"^(GET|POST|PATCH|PUT|DELETE|HEAD)$|^(ALL)$": {
"type": "object",
"properties": {
"authorization": {
"$ref": "#/definitions/authorization"
},
"backofficeAuthorization": {
"$ref": "#/definitions/authorization"
}
}
}
},
"additionalProperties": false
}
},
"additionalProperties": false
}

In this configuration, we expect that all the methods are written in uppercase. You can also insert the keyword ALL that automatically handles the main methods: GET, POST, PUT, PATCH, DELETE, HEAD and OPTIONS.

In this configuration authorization is separated between backoffice and frontend request. The header to match this condition is set by the env variable BACKOFFICE_HEADER_KEY.

Configuration example

{
"/": {
"GET": {
"authorization": {
"expression": "true",
"public": true
}
},
"POST": {
"authorization": {
"expression": "false",
"public": false
}
},
"PUT": {
"authorization": {
"expression": "false",
"public": false
},
"backofficeAuthorization": {
"expression": "false",
"public": false
}
}
},
"/myApi": {
"ALL": {
"authorization": {
"expression": "groups.admin && isBackoffice",
"public": false
}
}
},
"/users": {
"ALL": {
"authorization": {
"expression": "groups.admin && isBackoffice",
"public": false
}
}
}
}

Environment variables

  • LOG_LEVEL (default: trace): level of the log. It can be trace, debug, info, warn, error, or fatal;
  • HTTP_PORT (default: 3000): the port exposed by the service;
  • CONFIGURATION_PATH (required, default: ./): the path to the configuration file. Do not include the file name;
  • CONFIGURATION_FILE_NAME (required, default: test-config.test): the name of the configuration file. Do not include the full path;
  • BACKOFFICE_HEADER_KEY (required, default: isbackoffice): the header key which identifies the value which determines if the service is considered backoffice;
  • SERVICE_VERSION (default: 1.0.0): the service version, included in status routes responses;
  • SERVICE_PREFIX: the prefix used for the path of the service endpoints;
  • USERINFO_URL (required): the url of the service that provides information about the user. If baas-legacy is your service of choice, the value of this variable is http://baas-legacy/users/me, where baas-legacy might be different if your service has been renamed. Likewise, if you rely on auth0-client, the value of this variable should be http://auth0-client/userinfo, where auth0-client might be different if your service has been renamed.;
  • CUSTOM_USER_ID_KEY : a unique identifier of the user, based on te service that provides information about the user. If you are using baas-legacy this value should be id, if you use auth0-client it should be sub;
  • AUTHORIZATION_STRICT_MODE_ENABLED: defines whether strict mode is enabled or not;
  • USER_PROPERTIES_TO_PROXY: specifies which user properties need to be proxied (to the url set by USERINFO_URL variable);
  • CLIENT_TYPE_HEADER_KEY (required, default: client-type): the header key which identifies the value which determines the client type;
  • BACKOFFICE_USERINFO_URL: the backoffice url of the service that provides information about the user;
  • CUSTOM_PERMISSIONS_KEY: the key which identifies the list of permission in the user's request;
  • DELAY_SHUTDOWN_SECONDS (default: 10): the amount of seconds waited before closing the service when performing a graceful shutdown;
  • HEADERS_TO_PROXY: specifies which headers need to be proxied (to the url set by USERINFO_URL variable). If you are using baas-legacy then its value should be x-request-id,request-id,secret,dpd-ssh-key,cookie,host,x-forwarded-host, if you are using auth0-client its value should be x-request-id,request-id,cookie,authorization,client-type,host,x-forwarded-host;
  • AUTHORIZATION_HEADERS_TO_PROXY: specifies which headers could contain the authorization headers used by the user services in a comma separated list of headers. For example, in an oidc flow where the session is saved as bearer token, here should be set authorization.