Manage Authorization Clients

The Authorization Service uses INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST:

• To specify which applications can access Access Control Resources (ACRs). Only the clients whose Solid-OIDC Client IDs are in the list can modify the ACRs (i.e., modify access policies for resources).

• To create the Initial ACP Policies when a Pod is created. Specifically, the initial policies allows only the clients whose Client IDs are in the list (at the time of the Pod creation) to read and write to the Pod.

  The INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST only affects the initial policies during Pod creation. Once the initial policies have been created, any change to the list has no effect on existing policies.

Disambiguation

Both Authorization Service and Pod Storage Service have a INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST setting.

Only the Authorization Service setting affects which clients are allowed.

The Pod Storage Service is for Discovery purposes only. As such, the setting in Pod Storage Service should reflect the values set in the Authorization Service’s.

Example Customization

The following customization updates:

• INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST for Authorization Service and

• the corresponding INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST for Pod Storage Service.

1. Go to your ESS installation directory:

   cd ${HOME}/ess
   

2. Create a authz-client-id-allow-list.yaml file with the following content:

   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: ess-authorization-acp
   spec:
     template:
       spec:
         containers:
         - env:
           - name: INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST
             value: https://myApp.example.com/appid,https://podbrowser.inrupt.com/api/app
           name: ess-authorization-acp
   

3. Create a podconfig-client-id-allow-list.yaml file with the following content:

   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: ess-pod-storage
   spec:
     template:
       spec:
         containers:
         - env:
           - name: INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST
             value: https://myApp.example.com/appid,https://podbrowser.inrupt.com/api/app
           name: ess-pod-storage
   

4. Modify the kustomization.yaml (i.e., step 3 of the Applying Your Customizations procedure) to use authz-client-id-allow-list.yaml and podconfig-client-id-allow-list.yaml.

   Specifically, add the highlighted content to the kustomization.yaml file to the patches section:

   Tip

   If the patches key does not exist in kustomization.yaml, add the patches key as well.

   # kustomization.yaml in your ESS installation directory
   
   # ...  Preceding content omitted for brevity 
   # ...
   
   patches:
     - path: authz-client-id-allow-list.yaml
     - path: podconfig-client-id-allow-list.yaml
   

5. Continue with the rest of the Applying Your Customizations procedure.