What is the intended flow for authenticating/authorizing a User Entity from a Web UI

[pacog1994]

Hello OpenTDF,

I've been stuck with thoughts of how to design a React UI that lets me authenticate as a user from the OpenTDF platform keycloak instance and then utilize the OpenTDF platform authorization service to create attribute-based access control with it's GetDecisionsByToken method.

I've noticed that the platform makes use of grpc-gateway, example from authorization.pb.gw.go
"/authorization.AuthorizationService/GetDecisionsByToken", runtime.WithHTTPPathPattern("/v1/token/authorization"))

So I've been fetching endpoints directly with Postman i.e http://localhost:8080/v1/token/authorization and passing in an Auth Bearer Token and a Request body with decisionRequests.

I don't know if this is the correct/intended way of communicating with a browser client because I'm getting perrmission denied errors...

If anyone can offer direction in how to authenticate/authorize a User using opentdf (and not an internal service) I would greatly appreciate it.

[jrschumacher]

@pacog1994 this is a known issue captured #975. We're trying to determine what the default policy should be which is why it hasn't been resolved yet.

A workaround (as documented in the issue) is to add a custom policy https://github.com/opentdf/platform/blob/main/opentdf-example.yaml#L50-L55

Note, the "easy" and "insecure" solution is:

p, role:org-admin, *, *, *, allow
p, role:admin, *, *, *, allow
p, role:standard, *, *, *, allow

[jrschumacher]

@pacog1994 this issue was resolved, so you should be able to make the calls now.

Regarding how a web interface would be able to make a getDecision request, my advice is to write this in your server side PEP. This way, you can protect your platform from users making getDecision requests about other users. It's up to you if you want to implement a token exchange or if you want to privilege your server PEP to make these kinds of requests.