Authorization Service#
New in version 2.0.
The Authorization service hosts the Access Control Resources (ACR) for every ESS Pod resource and is responsible for managing/enforcing the Access Control Policies (ACP).
Authorization Service Endpoint#
By default, the ESS Authorization Service runs from the following root URL:
https://authorization.<ESS Domain>
To change the root Authorization service URL, see
INRUPT_AUTHORIZATION_BASE_URL
.
Configuration#
As part of the installation process, Inrupt provides base Kustomize overlays and associated files that require deployment-specific configuration inputs.
The following configuration options are available for the service and may be set as part of updating the inputs for your deployment. The Inrupt-provided base Kustomize overlays may be using updated configuration values that differ from the default values.
Required#
- INRUPT_AUTHORIZATION_BASE_URL#
The URI of the Authorization service.
- INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST#
Default:
https://permissions.{ESS_DOMAIN}/app/id,https://podbrowser.inrupt.com/api/app
Comma-delimited list of applications that can perform read and write operations on the Access Control Resources. To specify applications, use their Solid-OIDC Client IDs.
In addition, upon the creation of a Pod, the authorization server uses the list to initialize the default access policies for the Pod.
Important
The
INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST
value must be managed with care. Only those applications with a high level of trust should be listed. This value should never be set to an empty list.See Manage Authorization Clients. See also the
INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST
configuration for the Pod service.
Kafka Configuration#
Tip
See also ESS’ Kafka Configuration.
- KAFKA_BOOTSTRAP_SERVERS#
Default:
localhost:9092
Comma-delimited list of Kafka broker servers for use by ESS services, including this service.
Setting
KAFKA_BOOTSTRAP_SERVERS
configures ESS to use the same Kafka instance(s) for all its Kafka message channels (e.g.,solidresource
andauditv1out
message channels). This service uses thesolidaccesscontrolresource
andauditv1out
message channels.Note
Inrupt-provided overlays default to using
KAFKA_BOOTSTRAP_SERVERS
.To use different Kafka instances for the
solidaccesscontrolresource
andauditv1out
message channels, use specific message channel configuration.See also ESS’ Kafka Configuration.
- MP_MESSAGING_OUTGOING_SOLIDACCESSCONTROLRESOURCE_VALUE_SERIALIZER#
Default:
org.apache.kafka.common.serialization.StringSerializer
The serializer used for the notification messages the service sends to Kafka.
Supported values are:
org.apache.kafka.common.serialization.StringSerializer
When set to this value, notification messages sent to Kafka are unencrypted.
Services that consume these messages will need to set their
MP_MESSAGING_INCOMING_SOLIDACCESSCONTROLRESOURCE_VALUE_DESERIALIZER
to the corresponding deserializer valueorg.apache.kafka.common.serialization.StringDeserializer
.
com.inrupt.components.kafka.encryption.EncryptMessageSerializer
When set to this value, notification messages sent to Kafka are encrypted. Services that consume these encrypted messages will need to set their
MP_MESSAGING_INCOMING_SOLIDACCESSCONTROLRESOURCE_VALUE_DESERIALIZER
configuration to the corresponding deserializer valuecom.inrupt.components.kafka.encryption.DecryptMessageDeserializer
.
- INRUPT_KAFKA_SOLIDACCESSCONTROLRESOURCE_CIPHER_PASSWORD#
The symmetric key to use when encrypting messages (see
MP_MESSAGING_OUTGOING_SOLIDACCESSCONTROLRESOURCE_VALUE_SERIALIZER
).Warning
Set to a strong password.
- INRUPT_KAFKA_AUDITV1EVENTSENCRYPTED_CIPHER_PASSWORD#
The strong cipher key to use when running auditing with encrypted messages.
Optional#
- INRUPT_AUTHORIZATION_MAX_POD_COUNT#
Default:
10
The maximum number of Pods owned by a specific WebID.
Important
The
INRUPT_AUTHORIZATION_MAX_POD_COUNT
value must equal Pod Services’sINRUPT_STORAGE_MAX_PODS_PER_OWNER
value. When changing theINRUPT_AUTHORIZATION_MAX_POD_COUNT
value, ensure you also updateINRUPT_STORAGE_MAX_PODS_PER_OWNER
to the same value.
- INRUPT_JWT_ISSUER_ALLOW_LIST#
A comma-separated list of trusted Solid-OIDC issuers (i.e., identity providers).
If unset, the service accepts all Solid-OIDC issuers with the exception of those in the
INRUPT_JWT_ISSUER_DENY_LIST
.If set, the service accepts only those Solid-OIDC issuers in the list with the following exception:
If an issuer is in both
INRUPT_JWT_ISSUER_ALLOW_LIST
andINRUPT_JWT_ISSUER_DENY_LIST
, theINRUPT_JWT_ISSUER_DENY_LIST
supersedes theINRUPT_JWT_ISSUER_ALLOW_LIST
and the issuer is not accepted by ESS.
See also
INRUPT_JWT_ISSUER_DENY_LIST
.
- INRUPT_JWT_ISSUER_DENY_LIST#
A comma-separated list of disallowed Solid-OIDC issuers.
If unset, the service accepts all Solid-OIDC issuers unless
INRUPT_JWT_ISSUER_ALLOW_LIST
is set, in which case, the service only accepts those in theINRUPT_JWT_ISSUER_ALLOW_LIST
.If set, the service disallows the Solid-OIDC issuers in the list. If
INRUPT_JWT_ISSUER_ALLOW_LIST
is also set, issuers not in theINRUPT_JWT_ISSUER_ALLOW_LIST
are also disallowed.
- INRUPT_JWT_ALLOWED_SIGNATURE_ALGORITHMS#
Default:
ES256
,RS256
A comma-separated list that specifies the allowed encryption algorithms used to sign ID tokens.
- QUARKUS_LOG_LEVEL#
Default:
INFO
Logging level.
- QUARKUS_GRPC_SERVER_PORT#
The gRPC port of the Authorization Server.
- QUARKUS_GRPC_SERVER_SSL_CERTIFICATE#
Path to the server TLS/SSL certificate.
- QUARKUS_GRPC_SERVER_SSL_KEY#
Path to a server TLS/SSL certificate key file.
- QUARKUS_GRPC_SERVER_SSL_TRUST_STORE#
Trust store file to use.
- QUARKUS_GRPC_SERVER_SSL_TRUST_STORE_PASSWORD#
Password of the trust store file.
Additional Information#
See also https://quarkus.io/guides/all-config.