hey! i saw that ktor implements features for authe...
# ktorb
bitkid
04/06/2020, 11:21 AMhey! i saw that ktor implements features for authentication. is there also a framework for authorization? i have a server in our organisation which basically can do RBAC and ABAC and handles access to resources. so in each call to my ktor app i have to make a http request to that server and check for authorization. how would i handle that? any suggestions? add an interceptor after the autentication pipeline? do it directly in my routes?
m
mp
04/06/2020, 2:42 PMOne way to do it would be to use a session cookie and store session data in Redis. When creating a session like when logging in, hit that RBAC server and load all applicable roles and keep them in your principal class. Then it's trivial to write a wrapper around your business logic that looks for the relevant role/capability/whatever.
mp
04/06/2020, 2:43 PMHere's a wrapper I use in one of my ktor apps to give you the idea:
Copy code
internal suspend fun requireCapability(
call: ApplicationCall,
c: InternalCapability,
block: suspend (InternalUserPrincipal) -> Unit
) {
val principal = call.authentication.principal<InternalUserPrincipal>()!!
if (!principal.capabilities.contains(c)) {
logger.debug("Principal ${principal.internalUserId} did not have capability $c")
call.respond(HttpStatusCode.Unauthorized)
return
}
block(principal)
}mp
04/06/2020, 2:43 PMuse:
requireCapability(foo) { your logic here }17 Views