Authorization service
This service can be added to your project by visiting Mia-Platform Marketplace and creating a new microservice from the Authorization Service plugin.
Configuration
The configuration is saved in the auth.json
file, which is generated from the backend and visible as read-only. One way to overwrite the configuration is editing the service advanced configuration. The configuration must follow this schema:
{
"definitions": {
"authorization": {
"type": "object",
"properties": {
"expression": {
"type": "string"
},
"public": {
"type": "boolean"
}
},
"required": [
"expression",
"public"
]
}
},
"type": "object",
"patternProperties": {
"^\/": {
"type": "object",
"patternProperties": {
"^(GET|POST|PATCH|PUT|DELETE|HEAD)$|^(ALL)$": {
"type": "object",
"properties": {
"authorization": {
"$ref": "#/definitions/authorization"
},
"backofficeAuthorization": {
"$ref": "#/definitions/authorization"
}
}
}
},
"additionalProperties": false
}
},
"additionalProperties": false
}
In this configuration, we expect that all the methods are written in uppercase. You can also insert the keyword ALL
that automatically handles the main methods: GET
, POST
, PUT
, PATCH
, DELETE
, HEAD
and OPTIONS
.
In this configuration authorization is separated between backoffice and frontend request. The header to match this condition is set by the env variable BACKOFFICE_HEADER_KEY
.
Configuration example
{
"/": {
"GET": {
"authorization": {
"expression": "true",
"public": true
}
},
"POST": {
"authorization": {
"expression": "false",
"public": false
}
},
"PUT": {
"authorization": {
"expression": "false",
"public": false
},
"backofficeAuthorization": {
"expression": "false",
"public": false
}
}
},
"/myApi": {
"ALL": {
"authorization": {
"expression": "groups.admin && isBackoffice",
"public": false
}
}
},
"/users": {
"ALL": {
"authorization": {
"expression": "groups.admin && isBackoffice",
"public": false
}
}
}
}
Environment variables
- LOG_LEVEL (default:
trace
): level of the log. It can betrace
,debug
,info
,warn
,error
, orfatal
; - HTTP_PORT (default:
3000
): the port exposed by the service; - CONFIGURATION_PATH (required, default:
./
): the path to the configuration file. Do not include the file name; - CONFIGURATION_FILE_NAME (required, default:
test-config.test
): the name of the configuration file. Do not include the full path; - BACKOFFICE_HEADER_KEY (required, default:
isbackoffice
): the header key which identifies the value which determines if the service is considered backoffice; - SERVICE_VERSION (default:
1.0.0
): the service version, included in status routes responses; - SERVICE_PREFIX: the prefix used for the path of the service endpoints;
- USERINFO_URL (required, if
TRUST_MIA_USER_HEADERS
is set tofalse
): the url of the service that provides information about the user. Ifbaas-legacy
is your service of choice, the value of this variable ishttp://baas-legacy/users/me
, wherebaas-legacy
might be different if your service has been renamed. Likewise, if you rely onauth0-client
, the value of this variable should behttp://auth0-client/userinfo
, whereauth0-client
might be different if your service has been renamed.; - CUSTOM_USER_ID_KEY : a unique identifier of the user, based on te service that provides information about the user. If you are using
baas-legacy
this value should beid
, if you useauth0-client
it should besub
; - AUTHORIZATION_STRICT_MODE_ENABLED: defines whether strict mode is enabled or not;
- USER_PROPERTIES_TO_PROXY: specifies which user properties need to be proxied (to the url set by USERINFO_URL variable);
- CLIENT_TYPE_HEADER_KEY (required, default:
client-type
): the header key which identifies the value which determines the client type; - BACKOFFICE_USERINFO_URL: the backoffice url of the service that provides information about the user;
- CUSTOM_PERMISSIONS_KEY: the key which identifies the list of permission in the user's request;
- DELAY_SHUTDOWN_SECONDS (default:
10
): the amount of seconds waited before closing the service when performing a graceful shutdown; - HEADERS_TO_PROXY: specifies which headers need to be proxied (to the url set by USERINFO_URL variable). If you are using
baas-legacy
then its value should bex-request-id,request-id,secret,dpd-ssh-key,cookie,host,x-forwarded-host
, if you are usingauth0-client
its value should bex-request-id,request-id,cookie,authorization,client-type,host,x-forwarded-host
; - AUTHORIZATION_HEADERS_TO_PROXY: specifies which headers could contain the authorization headers used by the user services in a comma separated list of headers. For example, in an oidc flow where the session is saved as bearer token, here should be set
authorization
. - TRUST_MIA_USER_HEADERS (default:
false
): specifies if the service should trust the request headers which contain the user data (be careful: do not set this totrue
if this authorization service is used by an API Gateway exposed to internet. This is intended for the API Gateways of the projects protected by an Edge Gateway). - USERID_HEADER_KEY (default:
miauserid
): the request header containing the user id. - GROUPS_HEADER_KEY (default:
miausergroups
): the request header containing the user groups. - USER_PROPERTIES_HEADER_KEY (default:
miauserproperties
): the request header containing the user properties.