Manage Authorization Clients#

The Authorization Service uses INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST:

  • To specify which applications can access Access Control Resources (ACRs). Only the clients whose Solid-OIDC Client IDs are in the list can modify the ACRs (i.e., modify access policies for resources).

  • To create the Initial ACP Policies when a Pod is created. Specifically, the initial policies allows only the clients whose Client IDs are in the list (at the time of the Pod creation) to read and write to the Pod.

    The INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST only affects the initial policies during Pod creation. Once the initial policies have been created, any change to the list has no effect on existing policies.

Disambiguation

Both Authorization Service and Pod Storage Service have a INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST setting.

Only the Authorization Service setting affects which clients are allowed.

The Pod Storage Service is for Discovery purposes only. As such, the setting in Pod Storage Service should reflect the values set in the Authorization Service’s.

Example Customization#

The following customization updates:

  1. Go to your ESS installation directory:

    cd ${HOME}/ess
    
  2. Create a authz-client-id-allow-list.yaml file with the following content:

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: ess-authorization-acp
    spec:
      template:
        spec:
          containers:
          - env:
            - name: INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST
              value: https://myApp.example.com/appid,$(INRUPT_PERMISSIONS_CLIENT_ID),https://podbrowser.inrupt.com/api/app
            name: ess-authorization-acp
    
  3. Create a podconfig-client-id-allow-list.yaml file with the following content:

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: ess-pod-storage
    spec:
      template:
        spec:
          containers:
          - env:
            - name: INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST
              value: https://myApp.example.com/appid,https://permissions.inrupt.com/app/id,https://podbrowser.inrupt.com/api/app
            name: ess-pod-storage
    
  4. Modify the kustomization.yaml (i.e., step 3 of the Applying Your Customizations procedure) to use authz-client-id-allow-list.yaml and podconfig-client-id-allow-list.yaml.

    Specifically, add the highlighted content to the kustomization.yaml file to the patches section:

    Tip

    If the patches key does not exist in kustomization.yaml, add the key patches as well.

    # kustomization.yaml in your ESS installation directory
    
    # ...  Preceding content omitted for brevity 
    # ...
    
    patches:
      - authz-client-id-allow-list.yaml
      - podconfig-client-id-allow-list.yaml
    
  5. Continue with the rest of the Applying Your Customizations procedure.