Expand my Community achievements bar.

SOLVED

Authorization Framework for my AEM Site

Avatar

Level 4

I am working on a new AEM site, as part of the architecture I want to perform authorization checks for my user, e.g. if user is allowed to click on a CTA etc, is user allowed to read dynamic field value etc. 
My users will be coming from an external CIAM/IDP provider. 

Does AEM provide any documentation, references, or OOTB integration with the Authorization Framework? Like Zanzibar, Auth0 FGA etc? 

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

While the requirements 1 and 3 could be implemented by permissions on a certain operation object in the repository, (2) is much harder to implement.

 

I could imagine that /content/actions/redeem-a-coupon/product-A could be done and then you would additional permissions on the product-A resource; but I am not sure if this approach scales to your requirements (for example if you have 1000s of products) and also if you have more AND or OR relations with other constraints.

 

But I think that's the point where you need to think about about a different way to represent your logic. And then maybe the AEM-native capabilities are not a good match anymore.

View solution in original post

9 Replies

Avatar

Level 4

I am looking beyond these roles, where users's context and what users can do within the application. Built-in user/groups work well but have their limitations. Hence we are looking for more scalable and in-depth authorization options. 

There are multiple authorization frameworks in the market, but couldn't find an example of how to implement them. 

E.g. in a headless CMS,  I want to put authorization layer before user's action reaches to an API


Avatar

Employee Advisor

The underlying repository is quite flexible, and also the authorization mechanism is extensible (although rarely done). But the authorization is implemented on the repository level; that means if you have read access to a resource, you can read it for whatever purpose you need to access it. That means, you can read this resource you cannot restrict that this read can only be done for download and not for a copy and paste action to a location where you have write access to.

 

So can you please provide a few examples for activities, which you want to authorize separately?

 

Avatar

Level 4

I am building a loyal rewards site. As part of this, I have multiple tiers for users Silver, Gold, Platinum 

 

I have created a sign-in flow with an external Identity provider (Okta, Microsoft AD, etc) I have a Graph structure that defines what users can do where and how. This structure is complex and goes beyond standard roles. E.g. https://play.fga.dev/sandbox/?store=github 

 

When a user logs in, based on his/her profile, I will show specific content. Showing content is slightly nuanced: I am not considering only the user tier to display the content; I want to consider the user's context, e.g., what a user can do within an application object (Claim a coupon, redeem a coupon, share a tweet).  

 

 

The FGA Example I have provided above can help, but I would need to build and use FGA APIs from scratch; I am looking for an OOTB way to do this. 

Avatar

Employee Advisor

If you can represent your application objects in the repository, you can put ACLs on it and provide access to them via authorization. 

Then you could bind the code for this application object via a ResourceType to that object.

 

For example you create the the resource /content/actions/redeem-a-coupon. You only give read access for the groups "gold", because the "silver" members should not be able to redeem a coupon. Set a the "sling:resourceType" property to "myapp/actions/redeem-a-coupon" and implement the various actions below that resourcetype using various selectors.

 

And then you can make the UI calls like

* /content/actions/redeem-a-coupon.ui.html to display the dialog.

* /content/actions/redeem-a-coupon.submit.html to call the servlet which accepts the submission.

* ...

 

(You should be able to represent the relations between the various principals in the linked URLs via the AEM ootb functionality, users and groups.)

 

 

 

 

Avatar

Level 4

That's my challenge my Object repository is already defined externally and I am trying to integrate my content with it.
Also this approach would work for a standard role but may face scalability issues:
Check if a user is allowed to redeem a coupon if
1- He/She belongs to the silver tier
2- He/She can redeem a coupon if the coupon is for products A,B, C but not D
3- As a silver tier member allow redeem action for subscriber members only

It becomes challenging to create this sort of authorization data model. Please let me know if I am. missing anything 

 

Avatar

Correct answer by
Employee Advisor

While the requirements 1 and 3 could be implemented by permissions on a certain operation object in the repository, (2) is much harder to implement.

 

I could imagine that /content/actions/redeem-a-coupon/product-A could be done and then you would additional permissions on the product-A resource; but I am not sure if this approach scales to your requirements (for example if you have 1000s of products) and also if you have more AND or OR relations with other constraints.

 

But I think that's the point where you need to think about about a different way to represent your logic. And then maybe the AEM-native capabilities are not a good match anymore.

Avatar

Administrator

@patK-ze1xYs Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.



Kautuk Sahni