AuthZEN Support | Enforcer Documentation

Supporting the AuthZen Protocol

Support for the AuthZen 1.0 remote execution protocol can be enabled in Enforcer using the extension method UseEnforcerAuthZen. This is configured as follows:

var builder = WebApplication.CreateBuilder(args);

builder.Services
    .AddEnforcer("AcmeCorp.Global", options =>
    {
        options.Licensee = <Licensee>;
        options.LicenseKey = <License Key>
    })
    .AddFileSystemPolicyStore("policies")
    .AddPolicyAttributeProvider<FinanceDepartmentAttributeProvider>();

var app = builder.Build();

app.UseEnforcerAuthZen();

app.Run();

Configuring authentication on the server

Authentication integrates with the AspNet Core authentication service. The default scheme will be used.

Integrating with AspNet Core allows you to use the mechanism that works best for you, whether it be OAuth2, API keys, basic HTTP authentication or something else.

Notes on the AuthZen implementation

AuthZen is a protocol for invoking a PDP. However, it does not define as rich as model as the OASIS authorization model. The two biggest differences are:

AuthZen only supports Permit or Deny as outcomes. It does not have a concept of NotApplicable or Indeterminate. Therefore, only the PDP outcome of Permit will map to an AuthZen decision of true. Any other outcome will map to a decision of false.
AuthZen does not have the concept of obligations and advice. As such, these are not passed to the caller by Enforcer when invoked via AuthZen. Therefore, in this scenario it is advised to not use obligations and advice in your policies. We hope that more clarity on handling obligations, in particular, will be forthcoming from the standards body.

Previous Next