Skip to main content
Version: 9.x (Current)

Authorization service

This service can be added to your project by visiting Mia-Platform Marketplace and creating a new microservice from the Authorization Service plugin.

Configuration

The configuration is saved in the auth.json file, which is generated from the backend and visible as read-only. One way to overwrite the configuration is editing the service advanced configuration. The configuration must follow this schema:

{
  "definitions": {
    "authorization": {
      "type": "object",
      "properties": {
        "expression": {
          "type": "string"
        },
        "public": {
          "type": "boolean"
        }
      },
      "required": [
        "expression",
        "public"
      ]
    }
  },
  "type": "object",
  "patternProperties": {
    "^\/": {
      "type": "object",
      "patternProperties": {
        "^(GET|POST|PATCH|PUT|DELETE|HEAD)$|^(ALL)$": {
          "type": "object",
          "properties": {
            "authorization": {
              "$ref": "#/definitions/authorization"
            },
            "backofficeAuthorization": {
              "$ref": "#/definitions/authorization"
            }
          }
        }
      },
      "additionalProperties": false
    }
  },
  "additionalProperties": false
}

In this configuration, we expect that all the methods are written in uppercase. You can also insert the keyword ALL that automatically handles the main methods: GET, POST, PUT, PATCH, DELETE, HEAD and OPTIONS.

In this configuration authorization is separated between backoffice and frontend request. The header to match this condition is set by the env variable BACKOFFICE_HEADER_KEY.

Configuration example

{
  "/": {
    "GET": {
      "authorization": {
        "expression": "true",
        "public": true
      }
    },
    "POST": {
      "authorization": {
        "expression": "false",
        "public": false
      }
    },
    "PUT": {
      "authorization": {
        "expression": "false",
        "public": false
      },
      "backofficeAuthorization": {
        "expression": "false",
        "public": false
      }
    }
  },
  "/myApi": {
    "ALL": {
      "authorization": {
        "expression": "groups.admin && isBackoffice",
        "public": false
      }
    }
  },
  "/users": {
    "ALL": {
      "authorization": {
        "expression": "groups.admin && isBackoffice",
        "public": false
      }
    }
  }
}

Environment variables

  • LOG_LEVEL (default: trace): level of the log. It can be trace, debug, info, warn, error, or fatal;
  • HTTP_PORT (default: 3000): the port exposed by the service;
  • CONFIGURATION_PATH (required, default: ./): the path to the configuration file. Do not include the file name;
  • CONFIGURATION_FILE_NAME (required, default: test-config.test): the name of the configuration file. Do not include the full path;
  • BACKOFFICE_HEADER_KEY (required, default: isbackoffice): the header key which identifies the value which determines if the service is considered backoffice;
  • SERVICE_VERSION (default: 1.0.0): the service version, included in status routes responses;
  • SERVICE_PREFIX: the prefix used for the path of the service endpoints;
  • USERINFO_URL (required, if TRUST_MIA_USER_HEADERS is set to false): the url of the service that provides information about the user. If baas-legacy is your service of choice, the value of this variable is http://baas-legacy/users/me, where baas-legacy might be different if your service has been renamed. Likewise, if you rely on auth0-client, the value of this variable should be http://auth0-client/userinfo, where auth0-client might be different if your service has been renamed.;
  • CUSTOM_USER_ID_KEY : a unique identifier of the user, based on te service that provides information about the user. If you are using baas-legacy this value should be id, if you use auth0-client it should be sub;
  • AUTHORIZATION_STRICT_MODE_ENABLED: defines whether strict mode is enabled or not;
  • USER_PROPERTIES_TO_PROXY: specifies which user properties need to be proxied (to the url set by USERINFO_URL variable);
  • CLIENT_TYPE_HEADER_KEY (required, default: client-type): the header key which identifies the value which determines the client type;
  • BACKOFFICE_USERINFO_URL: the backoffice url of the service that provides information about the user;
  • CUSTOM_PERMISSIONS_KEY: the key which identifies the list of permission in the user's request;
  • DELAY_SHUTDOWN_SECONDS (default: 10): the amount of seconds waited before closing the service when performing a graceful shutdown;
  • HEADERS_TO_PROXY: specifies which headers need to be proxied (to the url set by USERINFO_URL variable). If you are using baas-legacy then its value should be x-request-id,request-id,secret,dpd-ssh-key,cookie,host,x-forwarded-host, if you are using auth0-client its value should be x-request-id,request-id,cookie,authorization,client-type,host,x-forwarded-host;
  • AUTHORIZATION_HEADERS_TO_PROXY: specifies which headers could contain the authorization headers used by the user services in a comma separated list of headers. For example, in an oidc flow where the session is saved as bearer token, here should be set authorization.
  • TRUST_MIA_USER_HEADERS (default: false): specifies if the service should trust the request headers which contain the user data (be careful: do not set this to true if this authorization service is used by an API Gateway exposed to internet. This is intended for the API Gateways of the projects protected by an Edge Gateway).
  • USERID_HEADER_KEY (default: miauserid): the request header containing the user id.
  • GROUPS_HEADER_KEY (default: miausergroups): the request header containing the user groups.
  • USER_PROPERTIES_HEADER_KEY (default: miauserproperties): the request header containing the user properties.