WORKERS AHEAD!
You are viewing the development documentation for the Apereo CAS server. The functionality presented here is not officially released yet. This is a work in progress and will be continually updated as development moves forward. You are most encouraged to test the changes presented.
Service Access Strategy - Cerbos
Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage by writing context-aware access control policies for your application resources.
This access strategy builds an authorization request and submits it to Cerbos’s check/resources
API endpoint. Key points about the authorization request:
- The resource ID is assigned to the numeric identifier of CAS registered service.
- All principal attributes are packed and included in the authorization request.
- The following details about the CAS registered service are included in the authorization request:
serviceUrl
: Application URL.serviceName
: Registered service name.serviceId
: Registered service id.serviceFriendlyName
: Registered service friendly name.serviceType
: Registered service type.
The specifics of the authorization request are taught to CAS using the settings typically defined within the access strategy itself:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
{
"@class" : "org.apereo.cas.services.CasRegisteredService",
"serviceId" : "^https://.+",
"name" : "test",
"id" : 1,
"accessStrategy" : {
"@class": "org.apereo.cas.services.CerbosRegisteredServiceAccessStrategy",
"apiUrl": "http://localhost:3592",
"token": "...",
"scope": "scope1",
"requestId": "...",
"rolesAttribute": "memberOf",
"kind": "kind1",
"actions": [ "java.util.ArrayList", [ "read", "write", "view"] ],
"auxData": {
"@class": "java.util.HashMap"
"jwt": {
"@class": "java.util.HashMap",
"token": "...",
"keySetId": "..."
}
}
}
}
The following fields are available to this access strategy:
Field | Purpose |
---|---|
apiUrl |
[1] The Cerbos endpoint URL, defaults to http://localhost:3592 . |
token |
[1] The bearer token to use in the Authorization header, if required. |
requestId |
[1] Request ID can be anything that uniquely identifies a request. |
kind |
[1] Resource kind. Required. This value is used to determine the resource policy to evaluate. |
scope |
[1] Resource scope. Optional. |
rolesAttribute |
[1] Attribute name, defaulted to memberOf , that will indicate a list of roles assigned to the CAS principal. |
actions |
List of actions being performed on the resource. |
auxData |
Optional. Block for providing auxiliary data. See Cerbos for more info. |
[1] This field supports the Spring Expression Language syntax.