Authorization configuration

Open Source
21

Ya, i have enabled redis,

Hey @george

how to give an exception in policy.rego if there is a request from a static token?

I have tried using a policy like below

allow if {
input.token == static_token
}

but it doesn’t work

22

To specifically scope to the token method type, I believe you would need to write:

allow if {
  input.authentication.method == "METHOD_TOKEN"
}
23

Thanks @george i will try

24

Hi team,

@george @mark I faced similar issue while setting up static token authentication for endpoint (Client-Side SDKs: react, go, java…):
<flipt url>/internal/v1/evaluation/snapshot/namespace/<namespace>

i get

{
  "code": 7,
  "message": "permission denied",
  "details": []
}

but

curl -H 'Authorization: Bearer *******' -H 'Accept: application/json' https://flipt-self-hosted.com/api/v1/namespaces/default/flags

works well.

I also use authentication via keycloak for the browser and a static token for the API

My config:

authentication:
  exclude:
    evaluation: true
  session:
    domain: domain.com
  methods:
    token:
      enabled: true
    oidc:
      enabled: true
      providers:
        keycloak:
          issuer_url: 'auth-domain.com'
          client_id: flipt
          client_secret: xxx
          redirect_address: 'domain.com'
authorization:
  required: true
  backend: local
  local:
    policy:
      path: policy.rego

policy.rego

package flipt.authz.v1

import rego.v1

default allow := false

allow if {
    claims := json.unmarshal(input.authentication.metadata["io.flipt.auth.claims"])
    "developer" in claims.roles
}

allow if {
    input.authentication.metadata["io.flipt.auth.token.name"] == "read-only"
    input.request.action == "read"
}

Flipt version: v1.51.1

p.s If

authorization:
  required: false

everything works.

25

I understood what the problem was - need to set

authentication:
  exclude:
    evaluation: false

in my config.

26

Hey @member

Sorry, I am a bit late with my answer.

It depends on your use-case. If you don’t want to have authn/authz for snapshot endpoint that would work. But if you want to have it, your policy should include this rule

# allow read access to the <xyz> namespace with static token
allow if {
  flipt.is_auth_method(input, "token")
  input.request.action == "read"
  input.request.namespace == "<xyz>"
  input.request.resource in ["flag", "segment"]
}

Please let us know if you have any other questions.

27

Hi @erka
Thanks for the reply. It works for me.