Service Access Strategy - Open Policy Agent (OPA)

The Open Policy Agent is an open source, general-purpose policy engine that enables unified, fine-grained and context-aware policy enforcement across the entire stack. Policies are expressed in a high-level, declarative language with a given context that promotes safe, performant, fine-grained controls.

This access strategy builds an authorization request and submits it to OPA via a POST. The specifics of the authorization request are taught to CAS using the settings typically defined within the access strategy itself:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

{
  "@class" : "org.apereo.cas.services.CasRegisteredService",
  "serviceId" : "^https://.+.example.org",
  "name" : "test",
  "id" : 1,
  "accessStrategy" : {
    "@class": "org.apereo.cas.services.OpenPolicyAgentRegisteredServiceAccessStrategy",
    "apiUrl": "http://localhost:8080",
    "decision": "example/authz/allow",
    "token": "92d4a401q26o0",
    "context" : {
      "@class" : "java.util.TreeMap",
      "param1" : "value1"
    }
  }
}

The following fields are available to this access strategy:

Field Purpose
apiUrl [1] The OPA endpoint URL.
decision The name of the policy decision defined in OPA.
token [1] The bearer token to use in the Authorization header, if required.
context Custom context to carry data to assist with the policy decision making.

[1] This field supports the Spring Expression Language syntax.

The authorization request body under the input parameter matches the following structure:

1
2
3
4
5
6
7
8
9
10

{
  "input": {
    "principal": "casuser",
    "service": "https://myapp.example.com",
    "attributes": {
      "email": ["user@example.org"]
    },
    "context": { "parameter1": "value1" }
  }
}

OPA returns an HTTP 200 response code if the policy was evaluated successfully. Non-HTTP 200 response codes indicate configuration or runtime errors. The policy decision outcome is contained in the result key of the response message body:

1
2
3

{
  "result": true
}