Policy Engine is a authentication/authorization (authx) service that is designed to work with traefik as a Forward Auth Provider.
The overall workflow is to, at the request level, do an evaluation of SSO tokens, Webauthn tokens, and authorization check using Open Poicy Agent.
Both SSO and Webauthn are optional and can be both turned off and directed at any service which provides those functions. For testing purposes we have been using Vouch with Google sign-in and the demo Webauth project by Duo.
Policy Engine is a authx mechanism that is sent a request containing the headers to be evaluated and responds with the appropriate HTTP code and redirect URL if necessary. It currently supports SSO and Webauthn tokens for authentication and Open Policy Agent for authortization.
For SSO we use Vouch Proxy which provides an abstraction for a number of SSO providers and will do the validation of the Vouch-Token.
The internals of Policy Engine were designed to use their suggested setup and only the minimal Vouch setup is necessary to have this up and running.
The SSO function can also be disabled by setting the following environment variable.
SSOOFF=1
For Webauthn we used the Duo example project. This is just for testing but we liked the properties of U2F/FIDO and wanted to be able to demostrate it being used in real time to provide a security benefit.
We also implemented the internals in a way that the minimal webauthn.io example should work out of the box.
The U2F can be disabled by setting the following environment variable.
U2FOFF=1
Open Policy Agent is a policy engine that evaluates Datalog style rules and uses JSON documents as input and data sources. OPA evaluates policy rules by using the input and data and returns the result.The input is the AttributeTuple struct which is submited via POST to the opa-endpoint and the Policy Engine expects a true/false return value.
More documentation can be found at the OPA site and more examples about our specific implementation can be found in our Access Proxy repo.