{"id":27979448,"url":"https://github.com/curityio/authzen-authorization-manager","last_synced_at":"2025-10-17T02:19:48.051Z","repository":{"id":286537564,"uuid":"880579148","full_name":"curityio/authzen-authorization-manager","owner":"curityio","description":"An example Authorization Manager using AuthZEN","archived":false,"fork":false,"pushed_at":"2024-10-30T01:29:04.000Z","size":13,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-05-08T02:53:26.906Z","etag":null,"topics":["authorization-manager","authzen","curity","plugin"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/curityio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-10-30T01:07:08.000Z","updated_at":"2024-11-15T01:16:52.000Z","dependencies_parsed_at":null,"dependency_job_id":"27c795ba-6089-4794-8a3a-5a0270486d08","html_url":"https://github.com/curityio/authzen-authorization-manager","commit_stats":null,"previous_names":["curityio/authzen-authorization-manager"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/curityio/authzen-authorization-manager","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fauthzen-authorization-manager","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fauthzen-authorization-manager/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fauthzen-authorization-manager/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fauthzen-authorization-manager/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/curityio","download_url":"https://codeload.github.com/curityio/authzen-authorization-manager/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fauthzen-authorization-manager/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279271962,"owners_count":26138041,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-17T02:00:07.504Z","response_time":56,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authorization-manager","authzen","curity","plugin"],"created_at":"2025-05-08T02:53:25.733Z","updated_at":"2025-10-17T02:19:48.046Z","avatar_url":"https://github.com/curityio.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OpenID AuthZEN Authorization Manager Plugin\n\n[![Quality](https://img.shields.io/badge/quality-demo-red)](https://curity.io/resources/code-examples/status/)\n[![Availability](https://img.shields.io/badge/availability-source-blue)](https://curity.io/resources/code-examples/status/)\n\n\nPDPs: https://github.com/openid/authzen/blob/main/interop/authzen-todo-backend/src/pdps.json\n\n\n\nA prototype Authorization Manager written in Java using an external [OpenID AuthZEN)](https://openid.github.io/authzen/) authorization engine also known as a [Policy Decision Point (PDP)](https://curity.io/resources/learn/entitlement-management-system/#the-policy-decision-point) for authorization.\n\n**Note**: The plugin requires at least version 7.3 of the Curity Identity Server.\n\n## Introduction\n\nThe Curity Identity Server can leverage Authorization Managers to control access to exposed GraphQL APIs for DCR and User Management. Authorization Managers can be custom built using the [Curity Java Plugin SDK](https://curity.io/docs/idsvr-java-plugin-sdk/latest/). This is an example of a custom Authorization manager that acts as a [Policy Enforcement Point (PEP)](https://curity.io/resources/learn/entitlement-management-system/#the-policy-enforcement-point) in an OpenID AuthZEN architecture. The OpenID AuthZEN Authorization Manager sends a JSON formatted request to a configured PDP that holds a policy. The PDP responds with a decision. The OpenID AuthZEN Authorization Manager handles the response and allows/denies access to the requested resource.\n\n## Building the Plugin\n\nBuild the plugin by issuing the command `mvn package`. This will produce a JAR file in the `target/authzen-authorization-manager` directory, which can be installed.\n\n## Installing the Plugin\n\nTo install the plugin, copy the compiled JAR (and all of its dependencies) from `target/authzen-authorization-manager` into `${IDSVR_HOME}/usr/share/plugins/${pluginGroup}` on each node, including the admin node.\n\nFor more information about installing plugins, refer to the [Plugin Installation section of the Documentation](https://curity.io/docs/idsvr/latest/developer-guide/plugins/index.html#plugin-installation).\n\n## Required Dependencies\n\nFor a list of the dependencies and their versions, run `mvn dependency:list`. Ensure that all of these are installed in the plugin group; otherwise, they will not be accessible to this plug-in and run-time errors will result.\n\n## Configuring the Plugin\n\nThe plugin needs an HttpClient, host, port and path configured in order to communicate with the OpenID AuthZEN PDP.\n\n### The configuration parameters\n| Name | Type | Description | Example | Default |\n|------|------|-------------|---------|---------|\n| `HttpClient`| String | The ID of the HttpClient that the Authorization Manager will use to call the OpenID AuthZEN PDP. | `authzen-http-client` |  |\n| `PDP Host`  | String | The hostname of the OpenID AuthZEN PDP. | `authzen-pdp.example.com` | `localhost` |\n| `PDP Port`  | String | The port that the OpenID AuthZEN PDP is exposing its service on.  | `8443` | `443` |\n| `PDP Path`  | String | The path of the OpenID AuthZEN PDP that accepts authorization requests. | `/pdp` |  `/access/v1/evaluation` |\n\nWhen committed, the Authorization Manager is available to be used throughout the Curity Identity Server.\n\n### DCR GraphQL API\n\nIn order to protect the DCR GraphQL API the Authorization Manager needs to be added to the Token Service Profile. Navigate to `Token Service` -\u003e `General`, in the drop-down for Authorization Manager, choose the newly created Authorization Manager.\n\n### User Management GraphQL API\n\nIn order to protect the User Management GraphQL API the Authorization Manager needs to be added to the User Management Profile. Navigate to `User Management` -\u003e `General`, in the drop-down for Authorization Manager, choose the newly created Authorization Manager.\n\n\n### OpenID AuthZEN Sample Request/Response\n\n#### Request\n\nThe example request below is what the OpenID AuthZEN Authorization manager sends to the PDP.\n\n```json\nPOST /services/pdp HTTP/1.1\nHost: localhost:443\nContent-Type: application/+json\n{\n    \"subject\": {\n        \"type\": \"user\",\n        \"id\": \"alice\"\n    },\n    \"resource\": {\n        \"type\": \"api\",\n        \"id\": \"user-management\"\n    },\n    \"action\": {\n        \"name\": \"can_read\",\n        \"properties\": {\n            \"method\": \"POST\"\n        }\n    }\n}\n```\n\n#### Response\n\nThe response from the PDP is very simple and just denotes `true` or `false` if access is granted or not.\n\n```json\n{\"decision\":false}\n```\n\n## More Information\n\n- Please visit [curity.io](https://curity.io/) for more information about the Curity Identity Server\n- [OpenID AuthZEN Working Group)](https://openid.github.io/authzen/)\n- [Curity Identity Server GraphQL APIs](https://curity.io/docs/idsvr/latest/developer-guide/graphql/index.html)\n- [User Management with GraphQL](https://curity.io/resources/learn/graphql-user-management/)\n- [Authorizing Access to User Data](https://curity.io/resources/learn/authorizing-user-access/)\n\nCopyright (C) 2024 Curity AB.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcurityio%2Fauthzen-authorization-manager","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcurityio%2Fauthzen-authorization-manager","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcurityio%2Fauthzen-authorization-manager/lists"}