diff options
| -rw-r--r-- | README.md | 86 |
1 files changed, 76 insertions, 10 deletions
@@ -1,16 +1,22 @@ -# Spike +# Authx - Spike - +This repository contains a proof of concept that attempts to illustrate several +different types of workflows that could exist by introducting a separate authn/authz service. +The code in this repository is meant to be used to help express ideas and is not +meant for production usage. I chose not to introduce too many external libraries +in this repository to ensure that we have reference implementation of code that +we can use as guidance for understanding concepts like: -1. Twirp + GRPC (authz) - * idp (headless): provide a thrift/grpc endpoint that is the equivalent of `Ability.allowed?(subject, permission, resource)` - * gitlab -2. OpenID Connect (authn) + OAuth (authz) - * idp (with login pages) - * gitlab -3. API Gateway: using golang reverse proxy and one of the new policy dsl's -4. OPA agent style side car process using declarative policy +* SAML based Authn workflow (+IdP chaining to external Identity Providers) +* OIDC based Authn workflow +* OAuth endpoints with links to RFC's to provide guidance on how these endpoints + are meant to be used. + +Below is a recording of a SAML based service provider initiated login with the +raw SAML XML printed out to illustrate each step of the workflow. + + ## Identity Provider (SAML IdP) @@ -32,3 +38,63 @@ This is a tiny SAML Service Provider for testing out interactions with a SAML Id $ ruby ./bin/sp 1. Use `http://localhost:8283/metadata.xml` as your SAML SP Metadata url. + + +### Experiments + +#### Twirp + GRPC (authz) + +The first experiment is to expose an gRPC endpoint that matches the [`Ability.allowed?(subject, permission, resource)`][1] +interface that is the entrypoint into the declarative policies authz logic in +the GitLab monolith. + +This experiment is meant to showcase a headless authz service that provides a +low latency interface for other services to connect to in order to make an +authorization decision. This headless service is the policy decision point that +policy enforcement points can delegate to in order to check if a particular +action is authorized. + +The two actors in this experiment are: + +* Headless authz service: This service is a facade over the existing declarative + policies found in the [`gitlab-org/gitlab`][2] codebase. +* API (resource server in OAuth language): This service represents a slimmed + down version of the GitLab REST API that has been updated to delegate to the + authz service in order to execute authz enforcement. + +#### SAML, OIDC, OAuth + +This experiment illustrates how a separate authx service can provide both authn +and authz in a standards compliant way. It utilizes SAML and OIDC as the +mechanisms for authenticating a session and it relies on OAuth for making +authorization decisions. + +2. OpenID Connect (authn) + OAuth (authz) + * idp (with login pages) + * gitlab + +The two actors in this experiment are: + +* Authx service: This service acts as an Identity Provider in a SAML based + transaction and the Authorization Server in a OIDC/OAuth workflow. +* API: This service represents a slimmed down version of the GitLab REST API. + +#### API Gateway + +This experiment introduces a separate policy domain specific language that can +be used to make authz decision as early in the request pipeline as possible. It +uses a reverse proxy with integration into a policy DSL (such as casbin) to make +authz decisions solely based on the contents of the HTTP request (headers + +body). It is stateless and proxies requests to backend services. + +#### Sidecar Process + +This experiment attempts to build a sidecar process that connects to a gRPC +endpoint defined in an earlier experiment to showcase how we can make authz +decisions from the nginx process while utilizing a single policy decision point. +This example runs nginx with a lua binding to connect via a unix socket to a +client process the proxies requests to the gRPC endpoint. It is inspired by the +Open Policy Agent style of deployment. + +[1]: https://gitlab.com/gitlab-org/gitlab/-/blob/e1f6db024561e35462ac8d9f54b8f9678f6ed6ee/app/models/ability.rb#L73 +[2]: https://gitlab.com/gitlab-org/gitlab/-/tree/master/app/policies |