HTTP Request-Level Authentication with SpiceDB

[infogulch]

I'm considering integrating authorization into my application at the level of the http request.

There's an emerging convergence around this idea of doing that in a reverse proxy by doing a precheck request, forwarding the request details including headers off to a remote authn/authz endpoint, and using the response code to determine whether to allow the request through to the real backend. Some implementations:

• Authelia Trusted Header SSO
• Caddy Server forward_auth

One benefit of this design is that it dissociates both the application and the proxy from authn/authz concerns, and isolates that problem to a simple http endpoint.

Now, I understand that authzed is focused on authz not authn, and also that the strategy zanzibar and spicedb takes is to authorize at the object level. But lets assume that the application is designed such that it's possible to cleanly map http paths to objects, and that authn is handled.

What do you think about using spicedb for this purpose? Any ideas for implementing "map http paths to objects"?

[vroldanbet]

Hey @infogulch,

at authzed we consider this to be a good fit for SpiceDB and in fact are using it internally this way to power some of our services. With SpiceDB's 1.24.0 recent changes to the support slashes in object identifiers, you could easily map resource paths.

You could extract authN information from headers or a JWT, and use it as the subject identifier.

For example, a POST https://example.com/books/3 would turn into a call to SpiceDB's WriteRelationships API writing the tuple books:1#creator@user#johndoe. You could also check if johndoe is allowed to create books by issuing a CheckPermission API call to SpiceDB.

A GET https://example.com/books/3 could be turned into a CheckPermission call like books:1#view@user#johndoe.

[infogulch]

That's great.

Would authzed consider adding the functionality directly into spicedb to handle these precheck requests that come from a reverse proxy? Maybe on a separate listening port so these requests can't cross with the regular api. This would be a nice way to generically integrate with reverse proxies for http-request-level authz checks without needing to run a separate service in between.

[vroldanbet]

@infogulch I think such functionality should be outside of SpiceDB, as similar patterns can emerge in different setups, and different protocols... SpiceDB should be kept as a lean core component and an ecosystem of integrations could be built around it (e.g. import SpiceDB as a go module and expose it behind a new API, all within the same process boundary). In that regard, SpiceDB should make it easy to layer such components on top of it.