# Authx - Proof of Concept

This repository explores various authentication and authorization workflows by introducing a separate authn/authz service.
It serves as a proof of concept to illustrate potential workflows, not a production ready implementation.

To keep the implementation accessible, external dependencies have been minimized, ensuring a clear reference for understanding key concepts, including:

* SAML based authentication including IdP chaining to external identity providers
* OIDC based authentication
* OAuth endpoints with links to relevant RFCs for proper usage guidance

## Architecture

```plaintext
 -------------
 | user-agent |
 -------------
       |
       V
----|:8080|-----------------------------------------------
       |
       V
 ---------------
 | API Gateway | (use casbin to evict early, reverse proxy, inject context headers)
 ---------------
        |
        |    --------------------
        |--->| IdP (saml, oidc) |
        |    --------------------
        |    | :http   | :grpc  | (use declarative_policy)
        |    --------------------
        |        A         A
   -----------   |         |
   |         |   |         |
   V         V   |         |
 ------    ------------    |
 | UI |    | REST API |----|
 ------    ------------

[UI]: ui.example.com
[REST API]: api.example.com
[IdP]: idp.example.com
```

I have ommitted TLS, RS256 from the prototype to offload the decision of key
management and rotation. See [smallstep](https://smallstep.com/docs/step-cli/)
for PKI management.

CSV files are used instead of a database to simulate different types of
scenarios. The following organizational hierarchy is demonstrated here:

```
Organization(name: "default")
  * Group(name: "A")
    * Project(name: "A1")
  * Group(name: "B")
    * Project(name: "B1")
Organization(name: "gitlab")
  * Group(name: "gitlab-org")
    * Project(name: "gitlab")
  * Group(name: "gitlab-com")
    * Group(name: "gl-security")
      * Group(name: "test-projects")
        * Project(name: "eicar-test-project")
      * Project(name: "disclosures")
    * Group(name: "support")
      * Group(name: "toolbox")
        * Project(name: "changelog-parser")
    * Project(name: "handbook")
    * Project(name: "www-gitlab-com")
```

## Getting Started

1. Install tools:

    ```sh
    $ mise install
    ```

1. Add entries to `/etc/hosts`:

    ```sh
    $ tail -n3 /etc/hosts
    127.0.0.1 api.example.com
    127.0.0.1 idp.example.com
    127.0.0.1 ui.example.com
    ```

1. Start servers:

    ```sh
    $ mage
    ```

1. Open a browser to `http://ui.example.com:8080/`.

## Questions

See the [FAQ][9]

## References

* [go tool][5]
* [gRPC][6]
* [protocol buffers][7]
* [twirp][8]

[2]: https://gitlab.com/gitlab-org/gitlab/-/tree/master/app/policies
[5]: https://tip.golang.org/doc/modules/managing-dependencies#tools
[6]: https://grpc.io/docs/
[7]: https://protobuf.dev/programming-guides/proto3/
[8]: https://github.com/arthurnn/twirp-ruby/wiki/Code-Generation
[9]: ./doc/share/authz/FAQ.md