platform icon indicating copy to clipboard operation
platform copied to clipboard
verified publisher icon opentdf

Enable Authorization based on OIDC claims alone without the need for Entity Resolution Service

Open jrschumacher opened this issue 1 year ago • 2 comments

The addition of Entity Resolution Service offers the ability to fetch custom data from an IdP or some other source when making an Authorization request. The challenge with this is that it increases the necessary requirements to get OpenTDF up and running.

Currently, ERS only supports Keycloak and any additional needs will need to be developed and deployed apart from the platform. OpenTDF has no plans to add or maintain support for other IdP or data sources.

This enhancement focuses on reducing the complexity of starting the OpenTDF service by supporting any IdP (that meets our requirements) without any custom code as well as reducing any custom integration with Keycloak which requires an API key to fetch additional data.

Acceptance Criteria

  • should be able to specify a token property to validate
  • should fail authorization if property is not found in token

jrschumacher avatar May 13 '24 14:05 jrschumacher

Had this written this morning but never hit create.

https://github.com/opentdf/platform/issues/793

strantalis avatar May 13 '24 20:05 strantalis

The TDF specification addresses this with tdf_claims. See https://github.com/opentdf/spec/blob/2a95f6f434ae241df1d2371b33c2b3c564e5ee67/protocol/README.md?plain=1#L15

Would this functionality address this issue? (Note this is v1 behavior and will need to be ported to v2)

pflynn-virtru avatar Jul 03 '24 12:07 pflynn-virtru