Match response body in remote_json authorizer #1169
Labels
rfc
A request for comments to discuss and share ideas.
Comments
7 tasks
6 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Preflight checklist
Ory Network Project
No response
Context and scope
There are external autorization services like open policy agent and OpenFGA which don't response with HTTP 403 on authorization failure. Instead they return json value indicating the result of authorization -
{"result": true}and{"allowed": true}for OPA and OpenFGA correspondingly.In this case we need to check the response body to determine if the request is authorized or not.
There is related issue #1125
Goals and non-goals
The design
New configuration key will be added under
remote_jsonauthorizer -match_json_fieldas object with following properties:field: json field selector (gjson) to matchstr_val: string value to matchbool_val: boolean value to matchIf that key is specified in authorizaer configuration and reponse HTTP status is 200 it will try to parse the response body as json, extract the field value using gjson selector and compare it with the provided value.
In this case authorization passed only if the field exists and equals with value of proper type.
From my point of view gjson selector is better here than just simple parse json and get the field because beyond those mentioned external authorization service there may be other which put the result in nested structure like
{"result":{"status": "ok"}}and selector gives there more flexibility. And gjson is already used in the codebase.APIs
No response
Data storage
No response
Code and pseudo-code
No response
Degree of constraint
No response
Alternatives considered
No response
The text was updated successfully, but these errors were encountered: