Authorization Service#

New in version 2.0.

The Authorization service hosts the Access Control Resources (ACR) for every ESS Pod resource and is responsible for managing/enforcing the Access Control Policies (ACP) authorization mechanism.

Authorization Service Endpoint#

By default, the ESS Authorization Service runs from the following root URL:

https://authorization.<ESS Domain>

To change the root Authorization service URL, see INRUPT_AUTHORIZATION_BASE_URL.

See also INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST.

Configuration#

As part of the installation process, Inrupt provides base Kustomize overlays and associated files that require deployment-specific configuration inputs.

The following configuration options are available for the service and may be set as part of updating the inputs for your deployment. The Inrupt-provided base Kustomize overlays may be using updated configuration values that differ from the default values.

Required#

INRUPT_AUTHORIZATION_BASE_URL#

The URI of the Authorization service.

INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST#

Default: https://permissions.{ESS_DOMAIN}/app/id,https://podbrowser.inrupt.com/api/app

Comma-delimited list of Solid-OIDC Client Identifiers. The list determines which clients are authorized to interact with the Access Control Resources.

Important

The INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST value must be managed with care. Only those applications with a high level of trust should be listed. This value should never be set to an empty list.

Kafka Configuraiton#

KAFKA_BOOTSTRAP_SERVERS#

Default: localhost:9092

Comma-delimited list of Kafka broker servers for use by ESS services, including this service.

Setting KAFKA_BOOTSTRAP_SERVERS configures ESS to use the same Kafka instance(s) for all its Kafka message channels (e.g., solidresource and auditv1out message channels). This service uses the solidaccesscontrolresource and auditv1out message channels.

Note

Inrupt-provided overlays default to using KAFKA_BOOTSTRAP_SERVERS.

To use different Kafka instances for the solidaccesscontrolresource and auditv1out message channels, use specific message channel configuration.

See also ESS’ Kafka Configuration.

MP_MESSAGING_OUTGOING_SOLIDACCESSCONTROLRESOURCE_VALUE_SERIALIZER#

Default: org.apache.kafka.common.serialization.StringSerializer

The serializer used for the notification messages the service sends to Kafka.

Supported values are:

  • org.apache.kafka.common.serialization.StringSerializer

    When set to this value, notification messages sent to Kafka are unencrypted.

    Services that consume these messages will need to set their MP_MESSAGING_INCOMING_SOLIDACCESSCONTROLRESOURCE_VALUE_DESERIALIZER to the corresponding deserializer value org.apache.kafka.common.serialization.StringDeserializer.

  • com.inrupt.components.kafka.encryption.EncryptMessageSerializer

    When set to this value, notification messages sent to Kafka are encrypted. Services that consume these encrypted messages will need to set their MP_MESSAGING_INCOMING_SOLIDACCESSCONTROLRESOURCE_VALUE_DESERIALIZER configuration to the corresponding deserializer value com.inrupt.components.kafka.encryption.DecryptMessageDeserializer.

INRUPT_KAFKA_SOLIDACCESSCONTROLRESOURCE_CIPHER_PASSWORD#

The symmetric key to use when encrypting messages (see MP_MESSAGING_OUTGOING_SOLIDACCESSCONTROLRESOURCE_VALUE_SERIALIZER).

Warning

Set to a strong password.

INRUPT_KAFKA_AUDITV1EVENTSENCRYPTED_CIPHER_PASSWORD#

The strong cipher key to use when running auditing with encrypted messages.

Optional#

INRUPT_AUTHORIZATION_MAX_POD_COUNT#

Default: 10

The maximum number of Pods owned by a specific WebID.

Important

The INRUPT_AUTHORIZATION_MAX_POD_COUNT value must equal Pod Services’s INRUPT_STORAGE_MAX_PODS_PER_OWNER value. When changing the INRUPT_AUTHORIZATION_MAX_POD_COUNT value, ensure you also update INRUPT_STORAGE_MAX_PODS_PER_OWNER to the same value.

INRUPT_JWT_ISSUER_ALLOW_LIST#

A comma-separated list of trusted Solid-OIDC issuers (i.e., identity providers).

See also INRUPT_JWT_ISSUER_DENY_LIST.

INRUPT_JWT_ISSUER_DENY_LIST#

A comma-separated list of disallowed Solid-OIDC issuers.

QUARKUS_LOG_LEVEL#

Default: INFO

Logging level.

QUARKUS_HTTP_SSL_CERTIFICATE_FILE#

Path to the the HTTP TLS/SSL certificate.

QUARKUS_HTTP_SSL_CERTIFICATE_KEY_FILE#

Path to the the HTTP TLS/SSL certificate key file.

QUARKUS_GRPC_SERVER_PORT#

The gRPC port of the Authorization Server.

QUARKUS_GRPC_SERVER_SSL_CERTIFICATE#

Path to the server TLS/SSL certificate.

QUARKUS_GRPC_SERVER_SSL_KEY#

Path to a server TLS/SSL certificate key file.

QUARKUS_GRPC_SERVER_SSL_TRUST_STORE#

Trust store file to use.

QUARKUS_GRPC_SERVER_SSL_TRUST_STORE_PASSWORD#

Password of the trust store file.