new recipe: gateway-injected rights matrix

[divarvel]

Context

In a multi-service setup, were rights definitions are managed by a single service. In order to avoid having this service directly queried by everyone every time a token is checked, the gateway can inject relevant information in the token itself, so that the receiving service can check the token in a self-contained way. The service can also use the received token to communicate with other services.

sequenceDiagram
    Client->>Gateway: Request with regular token
    Gateway-->>Gateway: Inject rights matrix in token
    Gateway->>Service A: Request with enriched token
    Service A->>Service B: Sub request with the same token (possibly attenuated)
    Service B->>Service A: Response
    Service A->>Gateway: Response
    Gateway->>Client: Response

Loading

Example

Token sent by the client

user("user_1234");

Block injected by the gateway, signed with the gateway secret key

right("user_1234", "file1", "read");
right("user_1234", "file2", "read");
right("user_1234", "file2", "write");

Authorizer used by the service

resource("file1");
operation("read");
allow if resource($r), operation($op), right("user_123", $r, $op) trusting authority, {gatewayPk};

The service is able to trust the rights matrix provided by the gateway because the gateway has signed the block with its secret key.

[vlmutolo]

This is really interesting. I hadn't thought of this particular optimization enabled by third-party tokens.

One comment: maybe the sequence diagram should have another service that the first service passes its token to? It would complicate the diagram, but it would also more directly demonstrate that the second service wouldn't need to communicate with the gateway to receive the rights matrix.

[divarvel]

Ah that's a good point. I have added a second service.