Authorization Service Extension (Version 2.0)

Owned by George Wang
Jul 14, 2017
1 min read


Introduction

Extended from the discussions in  Authorization Service - Return list of Permissions, here is the proposed version 2.0 spec.  This design aims to be fully backward-compatible with version 1.0 - Version 1.0 message is also a valid Version 2.0 message (except the version number).  This can make it possible that a version 1.0 client can send a version 1.0 request, and process a version 2.0 reply without issues.

Message Definitions

Comparison of Version 2.0 versus 1.0

<!-- version 1.0-->
<!ELEMENT Authorization (Principal, Permission, TestRequest?)>
<!ATTLIST Authorization
    isAuthorized CDATA #REQUIRED
>
<!ELEMENT AuthorizationQuerySpecification (Principal, Permission)>

<!-- versoin 2.0-->
<!ELEMENT Authorization (Principal, Permission*, TestRequest?)>
<!ATTLIST Authorization
    isAuthorized CDATA #IMPLIED
>
<!ELEMENT AuthorizationQuerySpecification (Principal, Permission*)>

Example Messages

Example 1: 

<!--request-->
<AuthorizationQuerySpecification>
<Principal>swheat</Principal>
<Permission>edu.emory.AuthorizationTestApplication.use</Permission>
</AuthorizationQuerySpecification>
 
<!--reply-->
<Authorization isAuthorized="true">
<Principal>swheat</Principal>
<Permission>edu.emory.AuthorizationTestApplication.use</Permission>
</Authorization>

This is the same as Version 1.0

Example 2:

<!--request-->
<AuthorizationQuerySpecification>
<Principal>swheat</Principal>
<Permission>edu.emory.AuthorizationTestApplication.use</Permission>
<Permission>edu.emory.AuthorizationTestApplication2.use</Permission>
<Permission>edu.emory.AuthorizationTestApplication3.use</Permission>
</AuthorizationQuerySpecification>
 
 
<!--reply  type-1-->
<Authorization isAuthorized="true">
<Principal>swheat</Principal>
<Permission>edu.emory.AuthorizationTestApplication.use</Permission>
<Permission>edu.emory.AuthorizationTestApplication2.use</Permission>
</Authorization>
<Authorization isAuthorized="false">
<Principal>swheat</Principal>
<Permission>edu.emory.AuthorizationTestApplication3.use</Permission>
</Authorization>
 
<!--reply type-2-->
<Authorization isAuthorized="true">
<Principal>swheat</Principal>
<Permission>edu.emory.AuthorizationTestApplication.use</Permission>
</Authorization>
<Authorization isAuthorized="true">
<Principal>swheat</Principal>
<Permission>edu.emory.AuthorizationTestApplication2.use</Permission>
</Authorization>
<Authorization isAuthorized="false">
<Principal>swheat</Principal>
<Permission>edu.emory.AuthorizationTestApplication3.use</Permission>
</Authorization>
 
<!--reply type-3-->
<Authorization>
<Principal>swheat</Principal>
<Permission>edu.emory.AuthorizationTestApplication.use</Permission>
<Permission>edu.emory.AuthorizationTestApplication2.use</Permission>
</Authorization>

Please note that reply 1-3 are all valid response, and have the same semantics.  Only 1 reply will be returned.  Current implementation only return type-1 reply, though client codes which are capable of processing all 3 are trivial to implement.

Example test EPPN message and response

Message

<AuthorizationQuerySpecification>
<Principal>anid@gatech.edu</Principal>
<Permission>org.myorg.myapp.viewPage1</Permission>
<Permission>org.myorg.myapp.viewPage2</Permission>
<Permission>org.myorg.myapp.viewPage3</Permission>
</AuthorizationQuerySpecification>

Response

<Authorization isAuthorized="true">
  <Principal>anid@gatech.edu</Principal>
  <Permission>org.myorg.myapp.viewPage1</Permission>
  <Permission>org.myorg.myapp.viewPage2</Permission>
</Authorization>
<Authorization isAuthorized="false">
  <Principal>anid@gatech.edu</Principal>
  <Permission>org.myorg.myapp.viewPage3</Permission>
</Authorization>