More Granular Authorization using the Policies or the DataScript

The role of the resource server is to validate the Access Token.

Using the Authorization Policies

Scopes are currently not supported. Therefore, Scope-Resource mapping is not available. That is, there is no native support for scopes, and consequently there is so no match type named scope available.

However, the scope is one of the claims (attribute values pairs) in the Access Token. So, scope-based authorization matches can be indirectly achieved using attribute matches.

For instance, if the admin wants to map /apiA to ScopeA and /apiB to ScopeB. This can be written as attribute matches using the following authorization policy:

1+----------------------------+-------------------------------+
2| Field                      | Value                         |
3+----------------------------+-------------------------------+
4| authz_rules[1]             |                               |
5|   match                    |                               |
6|     attr_matches[1]        |                               |
7|       attribute_name       | scope                         |
8|       attribute_value_list |                               |
9|         match_criteria     | CONTAINS                      |
10|         match_str[1]       | scopeA                        |
11|     path                   |                               |
12|       match_criteria       | BEGINS_WITH                   |
13|       match_str[1]         | /apiA                         |
14|   action                   |                               |
15|     type                   | ALLOW_ACCESS                  |
16| authz_rules[2]             |                               |
17|   match                    |                               |
18|     attr_matches[1]        |                               |
19|       attribute_name       | scope                         |
20|       attribute_value_list |                               |
21|         match_criteria     | CONTAINS                      |
22|         match_str[1]       | scopeB                        |
23|     path                   |                               |
24|       match_criteria       | BEGINS_WITH                   |
25|       match_str[1]         | /apiB                         |
26|   action                   |                               |
27|     type                   | ALLOW_ACCESS                  |
28| authz_rules[3]             |                               |
29|   match                    |                               |
30|     path                   |                               |
31|       match_criteria       | BEGINS_WITH                   |
32|       match_str[1]         | /                             |
33|   action                   |                               |
34|     type                   | HTTP_LOCAL_RESPONSE           |
35|     status_code            | HTTP_RESPONSE_STATUS_CODE_401 |
36| authz_rules[4]             |                               |
37|   index                    | 1                             |
38+----------------------------+-------------------------------+

Use DataScripts with Examples

A scope, that is, part of a claim can easily be used in any custom action using Datascripts also.

DataScript API	oauth_get_claim
Description	Used to map a scope that is a part of a claim
Example	To map /apiA to ScopeA and /apiB to ScopeB: path = avi.http.get_path() avi.vs.log(path) values, count = avi.http.oauth_get_claim(avi.OAUTH_ACCESS_TOKEN, "scope") for i = 1,count,1 do avi.vs.log(values[i]) avi.vs.log("checking scope11") if string.match(values[i],"scope1") and string.match(path, "api1") then allow = true avi.vs.log("api1 scope1 found ") end avi.vs.log("checking scope2") if string.match(values[i],"scope1") and string.match(path, "api2") then allow = true avi.vs.log("api2 scope 2found ") end end if allow == false then avi.http.response(403) end

DataScript API

oauth_get_claim

Description

Used to map a scope that is a part of a claim

Example

To map /apiA to ScopeA and /apiB to ScopeB:

path = avi.http.get_path()
avi.vs.log(path) 
values, count = avi.http.oauth_get_claim(avi.OAUTH_ACCESS_TOKEN, "scope") 
for i = 1,count,1 
	do 
	   avi.vs.log(values[i]) 
	   avi.vs.log("checking scope11")
	   if string.match(values[i],"scope1") and  string.match(path, "api1") then 
	   		allow = true
	   		avi.vs.log("api1 scope1 found ")  
	   	end
	   avi.vs.log("checking scope2")
	   if string.match(values[i],"scope1") and  string.match(path, "api2") then 
	   		allow = true
	   		avi.vs.log("api2 scope 2found ")
	   end
	end
if allow == false then  avi.http.response(403)
end

Extracting Token using DataScript

Starting with NSX Advanced Load Balancer version 22.1.3, a new DataScript function is supported for OAuth, namely, avi.http.oauth_get_token. This function extracts the token from the user’s OAuth session after the session is established. For more information, see avi.http.oauth_get_token(TOKEN_TYPE) (HTTP Functions section in VMware NSX Advanced Load BalancerDatascript guide.

Caveats and Limitations

Only authorization code grant is supported.
Multiple IDPs cannot be configured with the same virtual service.