Skip to Main Content

Micro Services

Laboratory for Computer Science Research

Notice: This micro service is in a prerelease stage and may have breaking issues.

Authorization Service

The LCSR Authorization Services is a policy based access control system (PBAC) which provides a uniform way to make access decisions across diverse technology stacks by decoupling authorization responsibility of configuration and decision logic from end applications.  It accepts ad-hoc user identity schemas to accommodate various credentials and tests them through a plugin-able rule based decision system which may be proxied to external authenticators through distributed authorization authorities.

Applications can take advantage of this service to provide fine tuned authorization with extensible permissions and redefinable policies.

Intro to PBAC (and its potential downsides)

Applications commonly need to prevent access to certain functionality based on the user accessing it.

Example:

A web application exists that allows professors to input grades and for students to view them.

Only professors should be allowed to modify grades. A student should NOT be allowed to do this.

Professors can see all grades, but students can only see their own grades. A student cannot view another student’s grades.

How do we go about adding these restrictions?

The most common way to handle this scenario involves hard coding these policies straight into the application. All checks are built right into the website’s source code.

The problem:

This system can work fine for very small applications. However, more complex applications may want to update this logic over time to respond to new features or new organizational requirements.

A professor assigns a student as a teaching assistant (TA) to his course. As a TA, this student is responsible for grading other students’ papers, and must be able to view the grades of other students.

Normally, adding this functionality would require a change to the underlying codebase for an app. This could require third-party contracting, review, and support. This is not optimal.

The solution:

The LCSR Authorization Services system allows application developers to seamlessly integrate with an underlying authorization micro service. Instead of housing policy logic in-app, applications can turn to the micro service to store and evaluate policies. Making updates to an application’s policy is handled through an intuitive web UI, removing the need for a developer to make modifications directly.

How the micro service can improve your application

The LCSR Authorization services system decouples your application’s business logic from the authorization logic that regulates its access.

  • Write less code. Authorization logic can quickly become complex. Instead of spending time writing hundreds of lines of code to secure a feature, let the micro service do the heavy-lifting using a streamlined API.
  • Adapt to new situations. The micro service can be adapted to changes in policy without changes to your application. Changes in organizational structure no longer require complex rewrites.
  • Improve security. Creating your own authorization layer can lead to security holes that compromise the safety of your application. Utilizing the micro service ensures that your authorization provider is battle tested and regularly maintained.

How it works

Applications make decisions. A lot of them. When an application wants to make a decision about what a user is authorized to do, they can turn to the LCSR Authorization Services system to do the heavy lifting. The below diagrams illustrates the general workings of this process:

 

Describes authorization flow.

The application does not concern itself with HOW a check is decided, or why. Instead, it only provides the “what”.

Given the “what”, or what the user is trying to do (view a student’s grades, etc.), the LCSR Identity Services determines if the authenticated user has access.

Implementing the services in your application

Client packages are available for common technologies and frameworks to allow for easy implementation of this LCSR micro service.

Right now, this service supports the following technologies out-of-the-box using an available package:

  • Laravel (repo, access is restricted) – the package comes with a demonstration application that can be used to see how the system works. The included README describes how to add the package to any existing or new Laravel application