Authorization accesses: How it works ?¶
The authorization accesses list coming from ResourceHeaderOIDC are accesses matrix by group or email. If not set, authenticated users will be authorized (no group or email validation will be performed if authorizationOPAServer
isn't set).
Moreover, this is based on the "OR" principle. Another way to say it is: you are authorized as soon as 1 thing (email or group) is matching.
The example below explain this in detail.
Example of authorization accesses configuration:
targets:
target1:
resources:
- path: /*
provider: provider1
oidc:
authorizationAccesses:
- group: group1
- group: group2
bucket:
...
We consider those users:
- Jean Dupont with
group1
andgroup2
- Astérix with
group1
andgroup3
- Obélix with
group3
Accesses will be:
- Jean Dupont: Ok because he is in
group1
(andgroup2
but this one isn't matching the first) - Astérix: Ok because he is in
group1
- Obélix: Forbidden because he isn't in any of
group1
orgroup2
To conclude, if you want to have a AND accesses list (following the example before, only Jean Dupont is authorized), you will have to change the authorization mechanism to OPAServerAuthorization and check feature guide here.