Authorization Service

New in version 2.0.

The Authorization service hosts the Access Control Resources (ACR) for every ESS Pod resource and is responsible for managing/enforcing the Access Control Policies (ACP).

Authorization Service Endpoint

By default, the ESS Authorization Service runs from the following root URL:

https://authorization.<ESS Domain>

To change the root Authorization service URL, see INRUPT_AUTHORIZATION_BASE_URL.

See also INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST.

Configuration

As part of the installation process, Inrupt provides base Kustomize overlays and associated files that require deployment-specific configuration inputs.

The following configuration options are available for the service and may be set as part of updating the inputs for your deployment. The Inrupt-provided base Kustomize overlays may be using updated configuration values that differ from the default values.

Required

INRUPT_AUTHORIZATION_BASE_URL

The URI of the Authorization service.

INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST

Default: https://permissions.{ESS_DOMAIN}/app/id,https://podbrowser.inrupt.com/api/app

Comma-delimited list of applications that can perform read and write operations on the Access Control Resources. To specify applications, use their Solid-OIDC Client IDs.

In addition, upon the creation of a Pod, the authorization server uses the list to initialize the default access policies for the Pod.

Important

The INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST value must be managed with care. Only those applications with a high level of trust should be listed. This value should never be set to an empty list.

See Manage Authorization Clients. See also the INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST configuration for the Pod service.

Kafka Configuration

Tip

See also ESS’ Kafka Configuration.

KAFKA_BOOTSTRAP_SERVERS

Default: localhost:9092

Comma-delimited list of Kafka broker servers for use by ESS services, including this service.

Setting KAFKA_BOOTSTRAP_SERVERS configures ESS to use the same Kafka instance(s) for all its Kafka message channels (e.g., solidresource and auditv1out message channels). This service uses the solidaccesscontrolresource and auditv1out message channels.

Note

Inrupt-provided overlays default to using KAFKA_BOOTSTRAP_SERVERS.

To use different Kafka instances for the solidaccesscontrolresource and auditv1out message channels, use specific message channel configuration.

See also ESS’ Kafka Configuration.

MP_MESSAGING_OUTGOING_SOLIDACCESSCONTROLRESOURCE_VALUE_SERIALIZER

Default: org.apache.kafka.common.serialization.StringSerializer

The serializer used for the notification messages the service sends to Kafka.

Supported values are:

• org.apache.kafka.common.serialization.StringSerializer

  When set to this value, notification messages sent to Kafka are unencrypted.

  Services that consume these messages will need to set their MP_MESSAGING_INCOMING_SOLIDACCESSCONTROLRESOURCE_VALUE_DESERIALIZER to the corresponding deserializer value org.apache.kafka.common.serialization.StringDeserializer.

• com.inrupt.components.kafka.encryption.EncryptMessageSerializer

  When set to this value, notification messages sent to Kafka are encrypted. Services that consume these encrypted messages will need to set their MP_MESSAGING_INCOMING_SOLIDACCESSCONTROLRESOURCE_VALUE_DESERIALIZER configuration to the corresponding deserializer value com.inrupt.components.kafka.encryption.DecryptMessageDeserializer.

INRUPT_KAFKA_SOLIDACCESSCONTROLRESOURCE_CIPHER_PASSWORD

The symmetric key to use when encrypting messages (see MP_MESSAGING_OUTGOING_SOLIDACCESSCONTROLRESOURCE_VALUE_SERIALIZER).

Warning

Set to a strong password.

INRUPT_KAFKA_AUDITV1EVENTSENCRYPTED_CIPHER_PASSWORD

The strong cipher key to use when running auditing with encrypted messages.

Optional

INRUPT_AUTHORIZATION_MAX_POD_COUNT

Default: 10

The maximum number of Pods owned by a specific WebID.

Important

The INRUPT_AUTHORIZATION_MAX_POD_COUNT value must equal Pod Services’s INRUPT_STORAGE_MAX_PODS_PER_OWNER value. When changing the INRUPT_AUTHORIZATION_MAX_POD_COUNT value, ensure you also update INRUPT_STORAGE_MAX_PODS_PER_OWNER to the same value.

INRUPT_JWT_ISSUER_ALLOW_LIST

A comma-separated list of trusted Solid-OIDC issuers (i.e., identity providers).

• If unset, the service accepts all Solid-OIDC issuers with the exception of those in the INRUPT_JWT_ISSUER_DENY_LIST.

• If set, the service accepts only those Solid-OIDC issuers in the list with the following exception:

  • If an issuer is in both INRUPT_JWT_ISSUER_ALLOW_LIST and INRUPT_JWT_ISSUER_DENY_LIST, the INRUPT_JWT_ISSUER_DENY_LIST supersedes the INRUPT_JWT_ISSUER_ALLOW_LIST and the issuer is not accepted by ESS.

See also INRUPT_JWT_ISSUER_DENY_LIST.

INRUPT_JWT_ISSUER_DENY_LIST

A comma-separated list of disallowed Solid-OIDC issuers.

• If unset, the service accepts all Solid-OIDC issuers unless INRUPT_JWT_ISSUER_ALLOW_LIST is set, in which case, the service only accepts those in the INRUPT_JWT_ISSUER_ALLOW_LIST.

• If set, the service disallows the Solid-OIDC issuers in the list. If INRUPT_JWT_ISSUER_ALLOW_LIST is also set, issuers not in the INRUPT_JWT_ISSUER_ALLOW_LIST are also disallowed.

INRUPT_JWT_ALLOWED_SIGNATURE_ALGORITHMS

Default: ES256, RS256

A comma-separated list that specifies the allowed encryption algorithms used to sign ID tokens.

QUARKUS_LOG_LEVEL

Default: INFO

Logging level.

QUARKUS_GRPC_SERVER_PORT

The gRPC port of the Authorization Server.

QUARKUS_GRPC_SERVER_SSL_CERTIFICATE

Path to the server TLS/SSL certificate.

QUARKUS_GRPC_SERVER_SSL_KEY

Path to a server TLS/SSL certificate key file.

QUARKUS_GRPC_SERVER_SSL_TRUST_STORE

Trust store file to use.

QUARKUS_GRPC_SERVER_SSL_TRUST_STORE_PASSWORD

Password of the trust store file.

Additional Information

See also https://quarkus.io/guides/all-config.