Authentication & Authorization

The Midaz authentication and authorization system is designed to be adaptable and secure, leveraging the best practices and tools available. It relies on authentication and authorization to secure user data, integrating Casdoor and Casbin for modern digital security needs. The system covers login, registration, permission management, and authorization control processes.

Technology Stack

Before diving into the specific services provided by Casdoor and Casbin, it's important to understand their role in the broader identity and access management ecosystem. Both tools are key components of modern, open-source security solutions for applications.

Casdoor

Casdoor is a user-friendly identity management platform that simplifies authentication, registration, and user control. With a flexible and intuitive interface, it supports various login methods, including OAuth2, OpenID Connect, and multi-factor authentication.

Key Features

• User Management: Casdoor enables developers to centralize user registration, authentication, and profile management, enhancing the user experience.

• Support for Identity Providers: It integrates with various identity providers, allowing users to log in using their existing accounts from platforms like Google or Facebook.

• Customizable Authentication Flows: Casdoor allows for the personalization of registration and login processes, tailoring them to the specific needs of each application.

Key Components

• Organizations: Organizations represent groups or entities, each with its own authentication settings and user management. This allows for hierarchical structures, making it easier to manage multiple units within a single application.

• Applications: Each application registered in Casdoor has its unique authentication settings and login flows. Applications enable customization of authentication behavior tailored to specific contexts and needs.

• Users: Casdoor handles user registration, authentication, and management, storing user information such as email, name, and authentication methods. Users are the profiles interacting with the platform.

• Adapters: Adapters allow integration with different identity providers (such as Google or Facebook). They enable users to authenticate using external service accounts.

• Enforcers: Enforcers ensure that access policies are properly enforced. They check whether a user has permission to access specific resources, according to predefined rules.

• Roles: Roles are used to group users with similar permissions, simplifying access management. By defining roles, permissions can be assigned more efficiently.

Casbin

While Casdoor focuses on authentication, Casbin is a powerful access control library that manages permissions within applications. Using flexible authorization models like Attribute-Based Access Control (ABAC) or Role-Based Access Control (RBAC), Casbin enables developers to define fine-grained access policies.

Key Features

• Authorization Policies: Casbin allows for the creation and enforcement of access rules based on user attributes, resources, and actions, ensuring detailed and dynamic access control.

• System Integration: It is compatible with various databases and authentication systems, making it adaptable to different architectures.

• Auditing and Monitoring: Casbin can log access actions and decisions, adding an extra layer of security and compliance.

Casdoor integrates Casbin internally to handle access control efficiently. This ensures that only authorized users can access specific resources by applying pre-defined authorization rules.

Configuring Casbin in Casdoor

To access Casbin's functionalities within Casdoor, two main files must be configured: model and policy.

• Model File The model.conf file defines how Casbin evaluates permissions. It contains the logic for processing access requests, using models such as RBAC (Role-Based Access Control) or ABAC (Attribute-Based Access Control). The structure of the model file must follow a specific format that clearly outlines the authorization rules to be applied. In Figure 1, you can find an example of a model.conf file.

• Policy File In the policy file, the access rules are stored in formats like CSV (Figure 2) or stored directly in a database. These rules govern access based on user roles and permissions. For the Midaz system, the policies are stored in the casbin_lerian_rule table within Casdoor’s database.

Casdoor and Casbin: Unified Identity and Access Management

The combination of Casdoor and Casbin offers a strong identity and access management solution. Casdoor takes care of user authentication, while Casbin handles access permissions within the application. This integration enhances security and simplifies developer workflows, making it easier to implement access control systems efficiently.

Security Considerations

Both Casdoor and Casbin adhere to security best practices to protect sensitive data. Casdoor encrypts passwords with robust encryption methods and allows customizable password policies to safeguard against breaches. Casbin offers flexible, granular access control using models like ABAC and RBAC, enabling precise access rules that strengthen security. Together, these tools create a secure environment for identity and permission management.

API Access and Swagger Documentation

Casdoor provides APIs for interacting with the integrated Casbin instance. These APIs allow developers to manage users, enforce access policies, and control permissions programmatically. To access the available APIs, use the Swagger documentation.

This Swagger UI provides detailed documentation and testing tools for interacting with Casdoor and Casbin's API features, including managing authentication flows and enforcing policies.

Authentication and Authorization Flows

Registration and Login

• Registration: Users register via browser interfaces or APIs, providing personal and access-related information.

• Login: Post-registration, users log in using established credentials, with the system verifying and securing their data.

Identity Management

This feature handles all user-related operations, including registration, login, and profile management. The system supports various authentication methods, including traditional usernames and passwords, social logins (Google, Facebook, etc.), and passwordless authentication. Security measures like multi-factor authentication (MFA) and account recovery are integrated to prevent unauthorized access.

Benefits

• User registration and login.

• Multi-factor authentication and password recovery.

• Integration with multiple identity providers.

Token Issuance and Management

In modern microservices architectures, secure access through tokens is crucial. After authentication, access tokens are issued to grant users access to different parts of the application. These tokens comply with standard protocols like OAuth 2.0 and OpenID Connect, ensuring secure and compatible resource access.

Benefits

• Secure, scalable token-based authentication.

• Implements OpenID Connect for identity verification, adding security with ID tokens.

Authorization and Access Control

This aspect governs what authenticated users can do within the application. Various access control models, including RBAC and ABAC, define complex policies that manage how users interact with resources based on roles, attributes, or contextual information.

Benefits

• Granular and flexible access policies.

• Dynamic permission settings using ABAC based on user attributes.

Identity and Access Proxy

An identity and access proxy acts as a security gateway that handles all incoming HTTP requests to services. It ensures proper authentication and authorization before forwarding requests to backend services. This includes verifying tokens, transforming credentials, and potentially enriching requests with additional user information. It ensures that only valid, authenticated, and authorized requests are processed.