Authz

Source code in:

• gobj.c

• gobj.h

Authentication and Authorization in Yuneta¶

Authentication and authorization in Yuneta ensure secure identification of users and validation of their permissions to access resources or perform actions. These processes are managed via APIs such as gobj_authenticate and gobj_user_has_authz, with the ability to use custom or built-in parsers and checkers.

Core Concepts¶

1. Authentication¶

Authentication verifies the identity of a user by validating credentials such as tokens or other identifiers.

• API:

json_t *gobj_authenticate(hgobj gobj, json_t *kw, hgobj src)

• Parser: Defined in the global_authentication_parser argument of gobj_start_up(). If null, a default parser is used.

The authentication parser:

• Processes the credentials provided in kw.

• Returns a JSON response indicating success or failure.

2. Authorization¶

Authorization ensures that an authenticated user has the necessary permissions to perform an action or access a resource.

• API:

BOOL gobj_user_has_authz(hgobj gobj_to_check, const char *authz, json_t *kw, hgobj src)

• Checker: Defined in the global_authorization_checker argument of gobj_start_up(). If null, a default checker is used.

The authorization checker:

• Uses the mt_authz_checker method if defined in the GClass.

• Verifies if the user has the required permission (authz) based on roles and parameters.

• Returns TRUE if the user is authorized; otherwise, FALSE.

GClass C_AUTHZ¶

Yuneta provides a module c_authz with default standalone implementations for authentication and authorization:

• Authentication: PUBLIC json_t *authentication_parser(hgobj gobj_service, json_t *kw, hgobj src)

• Authorization: PUBLIC BOOL authz_checker(hgobj gobj_to_check, const char *authz, json_t *kw, hgobj src)

These are public module-level functions (not GClass methods). They can be passed directly to gobj_start_up() as the global authentication parser and authorization checker. Internally, authz_checker locates the C_AUTHZ service instance to perform the actual check.

Workflow¶

Authentication Workflow¶

1. Request Authentication:

   • Call gobj_authenticate() with user credentials in kw.

2. Parser Selection:

   • If the GClass defines mt_authenticate, it is called.

   • Otherwise, the global_authentication_parser is used.

   • If no parser is provided, the default mechanism is used.

3. Validation:

   • Credentials are validated, possibly using external systems (e.g., OAuth2, JWT).

4. Response:

   • A JSON response indicates authentication success or failure.

Authorization Workflow¶

1. Request Authorization:

   • Call gobj_user_has_authz() with the required permission (authz).

2. Checker Selection:

   • If the GClass defines mt_authz_checker, it is called.

   • Otherwise, the global_authorization_checker is used.

   • If no checker is provided, the default mechanism is used.

3. Validation:

   • The checker evaluates the user’s roles and permissions against the required authz.

4. Response:

   • The method returns TRUE if authorized or FALSE otherwise.

Features¶

Authentication¶

• Support for JWT tokens, OAuth2, and system users.

• Integration with external identity providers for secure token validation.

Authorization¶

• Role-based access control (RBAC) for granular permission management.

• Hierarchical roles and services enable complex access control scenarios.

Integration with GObjs¶

• Authentication and authorization can be defined per GObj or applied globally.

• Built-in methods in C_AUTHZ simplify implementation.

Benefits¶

• Flexibility: Custom parsers and checkers enable tailored authentication and authorization logic.

• Security: Centralized access controls ensure consistency and reliability.

• Simplicity: Built-in functionality in C_AUTHZ reduces development overhead.