Hi, I am looking at a way to implement an authorisation model within a http4k application. The use case is quite basic, users will have a set of roles, and roles will have a set of permissions. User permissions will then allow/deny users’ access to protected routes. Does anyone know if there is any support in http4k for this kind of use case?

what's the form of the security? API key or cookie etc?

Cookie at the moment, we authenticate via OAuth and store the tokens as encrypted cookies.

We don't have anything specific built in - but we have implemented similar mechanisms. Essentially it's down to using request contexts and filters in the following order:

1. initialise request context
2. populate request context with extracted credentials
3. auth credentials in request context against the model
4. endpoints

That makes sense, thanks. To allow for extending the model in the future without having to do it all ourselves, I was hoping to find a Kotlin library similar (even if much simpler) to https://github.com/casbin/jcasbin, but I guess we can always build a simple abstraction on top of it if needed.

there is a possibility to create some http4k-security-XXX plugin modules to bridge the gap between a library like this, but we definitely don't want to get into the realms of creating a custom http4k model of auth.

This is something I struggle with too. The app I refer to is multi-tenant, so authorizing credentials isn't as simple as asking whether "resource A belongs to user Y", so here's what I do. 1. http4k exchanges the token for credentials 2. http4k puts the credentials in the request context 3. extract credentials from request context and pass into service layer 4. service layer loads related resources and authorizes credentials 5. service layer uses those related resources in whatever business logic requires them I don't love it, but it works for me, and is simpler than caching resources for pre and post verification. I'd be interested in learning about alternatives though.

I like the idea of having a http4k bridge to a library that can handle the decision so that it is possible to easily externalise the authorisation model and have several apps use the same authorisation mechanism. I will look around to see which libraries seem worthwhile integrating with in this space.