Skip to content

feat: Add OpenID AuthZEN integration for fine-grained authorization (v1)#381

Open
RazcoDev wants to merge 4 commits intoagntcy:mainfrom
RazcoDev:feature/authzen-integration-v1
Open

feat: Add OpenID AuthZEN integration for fine-grained authorization (v1)#381
RazcoDev wants to merge 4 commits intoagntcy:mainfrom
RazcoDev:feature/authzen-integration-v1

Conversation

@RazcoDev
Copy link

@RazcoDev RazcoDev commented Jul 1, 2025

AuthZEN Integration v1 - Fine-Grained Authorization for SLIM

📖 Proposal

This PR implements iteration 1 of OpenID AuthZEN integration into SLIM, providing standards-based policy enforcement for agent operations beyond simple JWT claims.

🎯 Problem Statement

SLIM currently uses JWT-based authentication but lacks fine-grained authorization capabilities for:

  • Cross-organization communication policies
  • Message size limits and content filtering
  • Dynamic permission management
  • Centralized policy administration
  • Standards-based policy decision points (PDPs)

🚀 Solution Overview

Complete AuthZEN v1 implementation providing policy-driven authorization for all SLIM operations:

Core Components Added

1. AuthZEN Client (data-plane/core/auth/src/authzen.rs)

  • ✅ Full OpenID AuthZEN v1 API compliance
  • ✅ HTTP client for PDP communication
  • ✅ Authorization decision caching (TTL-based)
  • ✅ Fallback policies for PDP unavailability
  • ✅ Retry logic and error handling
  • ✅ Batch evaluation foundation

2. SLIM Service Integration (data-plane/core/service/src/authzen_integration.rs)

  • AuthZenService wrapper for seamless integration
  • ✅ SLIM → AuthZEN entity conversions:
    • AgentAuthZenSubject
    • AgentTypeAuthZenResource
  • ✅ Authorization methods:
    • authorize_route() - Agent-to-agent route establishment
    • authorize_publish() - Message publishing with metadata
    • authorize_subscribe() - Subscription permissions
  • ✅ Configurable PDP endpoints and policies
  • ✅ Graceful degradation when AuthZEN unavailable

3. Comprehensive Demo (data-plane/examples/src/authzen-demo/)

  • ✅ Complete working example with CLI options
  • ✅ Real-world authorization scenarios:
    • Same-org vs cross-org communication
    • Message size limit enforcement
    • Route creation permissions
    • Subscription access controls
  • ✅ Performance testing with caching
  • ✅ Detailed logging and error scenarios

📊 Technical Details

Dependencies Added:

chrono = "0.4"        # Timestamp generation
reqwest = "0.12"      # HTTP client for PDP  
serde_json = "1.0"    # AuthZEN serialization
tokio = { sync }      # Async cache management

Error Handling:

pub enum AuthError {
    NetworkError(String),
    AuthorizationError(String), 
    ParseError(String),
    FallbackAllow,  // Graceful degradation
}

Configuration:

pub struct AuthZenServiceConfig {
    pub enabled: bool,
    pub pdp_endpoint: String,
    pub timeout: Duration,
    pub cache_ttl: Duration,
    pub fallback_allow: bool,
    pub max_retries: u32,
}

🔧 Usage Example

// Configure AuthZEN integration
let authzen_service = AuthZenService::new(Some(AuthZenServiceConfig {
    enabled: true,
    pdp_endpoint: "http://pdp:8080".to_string(),
    fallback_allow: false,  // fail-closed
    timeout: Duration::from_secs(5),
    cache_ttl: Duration::from_secs(300),
    max_retries: 3,
}))?;

// Authorize operations
let route_allowed = authzen_service.authorize_route(
    &agent, &target_type, Some(connection_id)
).await?;

let publish_allowed = authzen_service.authorize_publish(
    &source_agent, &target_type, Some(target_id), Some(message_size)
).await?;

let subscribe_allowed = authzen_service.authorize_subscribe(
    &subscriber_agent, &source_type, Some(source_id)  
).await?;

🧪 Demo Application

Run the comprehensive demo:

# Basic demo with mock PDP
cargo run --bin authzen-demo

# With real AuthZEN PDP
cargo run --bin authzen-demo --pdp-endpoint http://your-pdp:8080

# Enable fallback policies
cargo run --bin authzen-demo --fallback-allow

# Disable AuthZEN (JWT-only mode)  
cargo run --bin authzen-demo --authzen-enabled false

Expected demo output:

@RazcoDev RazcoDev requested a review from a team as a code owner July 1, 2025 13:52
RazcoDev added 4 commits July 15, 2025 11:08
@RazcoDev
feat: Add OpenID AuthZEN integration for fine-grained authorization
82dad9a 
Implements iteration 1 of AuthZEN integration into SLIM providing standards-based
policy enforcement for agent operations.

Core features:
- Complete AuthZEN v1 API client with caching and fallback policies
- SLIM service integration for route/publish/subscribe authorization
- Comprehensive demo application with real-world scenarios
- Agent to AuthZEN Subject/Resource conversions
- Configurable PDP endpoints and graceful degradation

This establishes foundation for policy-driven authorization beyond
simple JWT claims, enabling centralized policy management.

Signed-off-by: Razco <razchn@gmail.com>
@RazcoDev
fix: Make AuthZEN demo runnable
f248133 
- Add minimal SLIM config file for demo with insecure TLS
- Fix rustls crypto provider setup to resolve 'No provider set' error
- Clean up unused imports and variables in demo code
- Demo now runs successfully and shows AuthZEN integration behavior

The demo correctly demonstrates fail-closed authorization when no PDP is available.

Signed-off-by: Razco <razchn@gmail.com>
@RazcoDev
improve: Make AuthZEN demo user-friendly with clear messaging
63f93b9 
- Change default to fail-open (fallback_allow=true) for positive demo experience
- Add --fail-closed flag for easy testing of security-first behavior
- Improve authorization result messaging to be less alarming:
  * 'DENIED by policy' instead of error messages
  * Clear explanations about expected behavior
  * Better distinction between policy decisions and network failures
- Update README with both fail-open and fail-closed usage examples
- Add informative headers showing PDP endpoint and fallback policy

Demo now provides excellent user experience while demonstrating both
security models clearly.

Signed-off-by: Razco <razchn@gmail.com>
@RazcoDev
feat: Enhance AuthZEN demo with mock PDP server and new flags
9695b5b 
- Added `mock_pdp` and `no_mock_pdp` flags for local testing with a mock PDP server.
- Implemented realistic authorization policies in the mock server for testing.
- Updated `Args` struct to include flags for mock PDP usage.
- Enhanced README with mock PDP details and usage instructions.
- Improved demo output to focus on authorization decisions without actual SLIM operations.

This update provides a more user-friendly experience for testing AuthZEN authorization scenarios.

Signed-off-by: Razco <razchn@gmail.com>
@RazcoDev RazcoDev force-pushed the feature/authzen-integration-v1 branch from ae5e35c to 9695b5b Compare July 15, 2025 08:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@RazcoDev