Gluu as PDP

By: Yoel Spotts user 12 Nov 2019 at 11:11 a.m. CST

4 Responses
Yoel Spotts gravatar
I am confused about something and hoping someone can provide some clarification: Gluu server supports the UMA Oauth standard. Based on the docs I have seen, this would seem to mean that Gluu server can act as the PDP for policy decisions. However, looking at the Gluu Gateway product, it appears that Gateway bundles open policy agent to handle actual policy decisions. I don't understand why Gluu Gateway includes OPA for policy decisions, if Gluu Server can act as a PDP? Thanks Yoel
Gluu 4.0 Docker 2.0
closed

Answers

By Michael Schwartz Account Admin 12 Nov 2019 at 11:19 a.m. CST

Copy
Michael Schwartz gravatar
Gluu Gateway is the policy enforcement point--it filters access based on OAuth or UMA scopes (or based on an external PDP, like Open Policy Agent). It is quite dumb--it does not know the meaning of the scopes. If the right scopes are present, it let's the traffic through. Otherwise, it returns 401 (with a permission ticket and as_uri if it's UMA). Gluu Gateway does not know the policies that determine whether a specific scope is granted--the AS determines whether to issue an access token with a certain scope. Thus the "policy" is stored in the Gluu Server. If you are using OAuth, scopes are either manually given to clients, or there could be a mechanism to grant scopes based on the presentation of a "software statement" (i.e. a JWT) during client registration. If you are using UMA, the Gluu Server determines whether to grant a scope based on policies that are mapped in the UMA scopes screen. These policies are expressed in the "UMA RPT Policies' script in the "Configuration/Manage Custom Scripts" section of the admin UI. Note, these scripts can call an external PDP. See the blog on Axiomatics as an example of this pattern: https://www.gluu.org/blog/axiomatics/

By Yoel Spotts user 12 Nov 2019 at 11:25 a.m. CST

Copy
Yoel Spotts gravatar
Thank you so much for the very quick response! I am still not 100% clear: does that mean that Gluu Server cannot act as the PDP? Or are you saying that the policy script could make a policy decision on its own, or it could call out to some external PDP?

By Michael Schwartz Account Admin 12 Nov 2019 at 11:38 a.m. CST

Copy
Michael Schwartz gravatar
IMHO, if you have a relatively small number of policies, you can use the Gluu Server as the PDP. For example, you could express your policies in Python using the RPT interception script. If you have dozens, hundreds, or thousands of policies, there are real advantages to storing policies in some kind of structured syntax, like XML or Rego. Also, keep in mind that Gluu, as the OAuth Authorization Server, mints tokens (handling signing, encryption and introspection of reference tokens). That's an important job in the modern API ecosystem, that has become too complicated for most PDP's.

By Yoel Spotts user 12 Nov 2019 at 1:47 p.m. CST

Copy
Yoel Spotts gravatar
thank you for your thoughtful responses! very helpful

Post an answer