Service Access Strategy - Open Policy Agent (OPA)
The Open Policy Agent is an open source, general-purpose policy engine that enables unified, fine-grained and context-aware policy enforcement across the entire stack. Policies are expressed in a high-level, declarative language with a given context that promotes safe, performant, fine-grained controls.
This access strategy builds an authorization request and submits it to OPA via a POST. The specifics
of the authorization request are taught to CAS using the settings typically defined within the access strategy itself:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
{
"@class" : "org.apereo.cas.services.CasRegisteredService",
"serviceId" : "^https://.+.example.org",
"name" : "test",
"id" : 1,
"accessStrategy" : {
"@class": "org.apereo.cas.services.OpenPolicyAgentRegisteredServiceAccessStrategy",
"apiUrl": "http://localhost:8080",
"decision": "example/authz/allow",
"token": "92d4a401q26o0",
"context" : {
"@class" : "java.util.TreeMap",
"param1" : "value1"
}
}
}
The following fields are available to this access strategy:
| Field | Purpose |
|---|---|
apiUrl |
[1] The OPA endpoint URL. |
decision |
The name of the policy decision defined in OPA. |
token |
[1] The bearer token to use in the Authorization header, if required. |
context |
Custom context to carry data to assist with the policy decision making. |
[1] This field supports the Spring Expression Language syntax.
The authorization request body under the input parameter matches the following structure:
1
2
3
4
5
6
7
8
9
10
{
"input": {
"principal": "casuser",
"service": "https://myapp.example.com",
"attributes": {
"email": ["user@example.org"]
},
"context": { "parameter1": "value1" }
}
}
OPA returns an HTTP 200 response code if the policy was evaluated successfully.
Non-HTTP 200 response codes indicate configuration or runtime errors. The policy
decision outcome is contained in the result key of the response message body:
1
2
3
{
"result": true
}