Use OPA Server caller identity in OPA policy

[HenriBlacksmith]

I am currently setting up Bearer token authentication on an OPA server as documented in https://www.openpolicyagent.org/docs/latest/security/#authentication-and-authorization

I created a specific policy to manage authorization on OPA server using system.authz package.
From the docs, this package has the Bearer token in the input.identity implicit input.

Now I am wondering how I can obtain the JWT or some JWT claims in a policy (apart from the system.authz package) as a policy input.

Is this currently possible? Or should I explicitly re-add those claims as an input for my custom policy and check the coherence with the input JWT in the system.authz package?

[anderseknert]

Hi @HenriBlacksmith 👋 Yes, the authorization header token would be presented for access to the OPA API itself, while attributes carried in input would normally authorize the original request from an end-user or such. These are commonly not the same, but if they are, I suppose you could skip the verification in the OPA policy and assume the token was verified as part of API authentication/authorization, depending on your requirements.

[HenriBlacksmith]

Thanks for the reply, my need is to remove the user id from the policy inputs and get it from the authorization/authentication context instead.

But from the docs and code it does not look like OPA currently propagates any request context beyond the system.authz package (authorizer ?)

I assume this could be an improvement for OPA to support that?

[anderseknert]

That's correct. Propagating data from the request context assumes that there is a request context, and not making such an assumption allows the same policy to be evaluated in any context and by any tool available in the OPA toolchain or even ecosystem, like opa test, opa eval, opa bench, opa exec, and so on.

I suppose an authorization policy could be made to work so that it was allowed to contribute data to the input object of the regular policy evaluation, but I'm not entirely sure what that would look like.

[HenriBlacksmith]

Ok, I understand :-) It clearly splits concerns between:

• Can I evaluate this OPA policy?

And

• What's the decision result?

Which makes a lot of sense