Authorization Policy
The YAML file provided below contains an example YAML configuration for an IBM Application Gateway (IAG) container which:
- Specifies a server certificate;
- Configures an IBM Security Verify tenant as the identity provider using OIDC;
- Defines a single Web application which will be proxied by the IAG;
- Defines an authorization policy for the Web application.
Example YAML
version: "23.04"
#
# Configure an IAG container to proxy a single Web application, and define
# an authorization policy for the Web application. This configuration will
# simply define a server certificate, configure an IBM Security Verify tenant
# as the identity provider, define a single application and then define some
# authorization rules for this application.
#
#
# Specify a server certificate to be used by the container. The server
# certificate was created using an openssl command:
# openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 \
# -out cert.pem
#
# To remove the dependency on external files a base-64 representation of the
# key.pem and cert.pem files can be embedded within this YAML, where the
# base-64 encoded file is prefixed with 'B64:', for example:
# "B64:PGhy4KICAgIDxoND5...."
#
# If no certificate is specified a self-signed certificate will be
# automatically created and used by the container.
#
server:
ssl:
front_end:
certificate:
- "@cert.pem"
- "@key.pem"
#
# Specify an IBM Security Verify tenant as the identity provider for the
# container. Please note that the values provided below are for illustrative
# purposes only and don't reflect a real tenant. A free tenant can be created
# using the instructions found at the following URL:
# https://www.ibm.com/us-en/marketplace/cloud-identity-for-consumers
#
# The discovery endpoint has the following format:
# https://<tenant host>/oidc/endpoint/default/.well-known/openid-configuration
#
# The redirect URI which is used in the SSO flow is constructed from the host
# header contained in the request, appended with '/pkmsoidc' (for example:
# https://ibm-app-gateway.ibm.com/pkmsoidc). This redirect URI should be
# specified when creating the custom application within the IBM Security
# Verify administrators console.
#
identity:
oidc:
discovery_endpoint: "https://ibm-app-gw.verify.ibm.com/oidc/endpoint/default/.well-known/openid-configuration"
client_id: "300141b6-690b-4e4e-862d-2c96da2bb1ba"
client_secret: "wPP8rM8N0d"
#
# Define an resource server which will be hosted at the '/static' path of the
# IAG container. A single Web server, located at http://10.10.10.200:1337,
# hosts the resource server.
#
# An authorization policy has also been defined which:
# 1. Allows 'application owners' to retrieve any resource;
# 2. Allows unauthenticated used to retrieve the '/unauth' resource;
# 3. Allows any authenticated user to retrieve the '/everyone' resource;
# 4. Denies access to everything else.
#
resource_servers:
- path: "/static"
connection_type: "tcp"
servers:
- host: "10.10.10.200"
port: 1337
transparent_path: false
policies:
authorization:
- name: "app_owners"
methods:
- "GET"
paths:
- "*"
rule: (any groupIds = "application owners")
action: "permit"
- name: "any_user"
methods:
- "GET"
paths:
- "/unauth"
rule: "anyuser"
action: "permit"
- name: "any_auth_user"
methods:
- "GET"
paths:
- "/everyone"
rule: "anyauth"
action: "permit"
- name: "go-away"
paths:
- "*"
rule: "()"
action: "deny"
Updated about 2 months ago