spicedb
spicedb copied to clipboard
authzed
Caveat Feedback Mechanism
It would be really helpful if information about failed caveats was included in Check/Lookup responses in order to provide feedback to the user.
We have implemented a LOA (Level of Authentication) check using a caveat. Each tenant can specify a different minimum LOA for their tenant or specific resources. Here's a very simple example:
definition subject {}
definition tenant {
relation admin: subject
relation acr: subject:* with acr_loa
permission test = acr & admin
}
caveat acr_loa(min_loa int, current_loa int) {
current_loa >= min_loa
|| current_loa < 0 // negative current_loa is used to bypass check for anon users
}
While this evaluates permissions correctly, we don't have a way to know if a user just doesn't have access or if we need to prompt them to "step up" their authentication level, after which they likely would.
Hey @croemmich 👋
Today there are two mechanisms to determine why a user was or wasn't granted access to a resource: the Expand API (which has its limitations - it does not recurse on traversal) and debug metadata (currently only supported on Check API). Just so you know, there are 2 debug levels, basic and trace. You can only use basic debug as trace is not supported via the Check API. LookupResources does not support debug metadata for now, but feel free to open an issue if you'd like to see it supported.
To enable debug metadata you should provide the io.spicedb.requestdebuginfo header (value does not matter). The metadata will be included in the gRPC trailer with key io.spicedb.respmeta.debuginfo.
Please note metadata does not come for free and adds some overhead.
Debug information will be moving into the check request/response itself shortly; once its there, you can read the trace to determine the missing caveat parameters
Reference: https://github.com/authzed/spicedb/pull/1795
@croemmich Let us know if you need any additional information now that the check trace has been moved into the response