RBAC

RBAC, or Role based access control, provides users with very specific sets of permissions based on assigned Groups, Roles, & Actions

User

And end-user / service that accesses an endpoint.

Type - user

Type - service

Permissions

Permissions are derived from the group or groups assigned to the specific user.

Group

Assigned to Users, and containing a list of specified roles.

Permissions are derived from the roles assigned to the specific group.

Role

Assigned to Groups, and containing a list of actions.

Permissions are derrived from the Actions assigned to the specific Role

Action

Actions are the most granuar permission that can be created to define something that can be allowed.

Tokens

Tokens are created for a specifc user, that contain the full permissions tree for a specific user (Groups, Roles, Actions)

User Token - Expiration

Service Token - Expiration

Revoking a Token

Once a token is created, it is valid until expiration or EasyAuthServer key rotation.

EasyAuthServer maintains a token registry of issued tokens, containing the underlying username, issue date, expiraiton_date & token_id.

EasyAuthServer updates all EasyAuthServer workers & connected EasyAuthClients when a token is added / revoked.

Get Current User

Both EasyAuthServer / EasyAuthClients can determine the current user accessing an endpoint by adding user: str = get_user() to any easyauth decorated endpoint:

#test_client.py
from fastapi import FastAPI

from easyauth.client import EasyAuthClient
from easyauth import get_user

server = FastAPI()

server.auth = await EasyAuthClient.create(
    server,
    token_server='0.0.0.0',
    token_server_port=8090,
    auth_secret='abcd1234',
    default_permissions={'groups': ['users']}
)

# grants access to users matching default_permissions
@server.auth.get('/default')
async def default(user: str = get_user()):
    return f"{user} is accessing default endpoint"