topaz icon indicating copy to clipboard operation
topaz copied to clipboard
verified publisher icon aserto-dev

Identity Resolution: Fallback user lookup not working

Open ghost opened this issue 4 months ago • 1 comments

Identity Resolution: Fallback user lookup not working

While testing a policy, I am unable to resolve identityContext directly to a user. If I add an identity type and relate the user to that identity, resolution succeeds. I don't want to use an extra type for this, and the fallback of searching user objects is not working.

Error Message

Debug Result:

{
  "level": "error",
  "component": "api.grpc",
  "api": "authz",
  "error": "rpc error: code = InvalidArgument desc = E20026 object type not found: identity",
  "identity_context": { "identity": "1", "type": 2 },
  "time": "2025-08-14T23:23:17Z",
  "message": "failed to resolve identity context"
}

{
  "level": "warn",
  "request": {
    "policy_context": { "path": "netchex", "decisions": ["allowed"] },
    "identity_context": { "identity": "1", "type": 2 },
    "resource_context": {
      "object_id": "1",
      "object_type": "company",
      "permission": "security_group:10"
    }
  },
  "error": {
    "error": "E30007 authentication failed: failed to resolve identity context",
    "msg": "failed to resolve identity context"
  },
  "error-id": "a89af907-7965-11f0-9db4-b20b37a09d89",
  "error-code": "E30007",
  "status-code": 5,
  "aserto-http-statuscode": "401",
  "msg": "failed to resolve identity context",
  "time": "2025-08-14T23:23:17Z",
  "Aserto-Request-Id": "a89ae020-7965-11f0-9db4-b20b37a09d89",
  "Aserto-Tenant-Id": "-",
  "method": "/aserto.authorizer.v2.Authorizer/Is",
  "message": "authentication failed"
}

Reproduce

Manifest:

model:
  version: 3

types:
  ### display_name: User ###
  user: {}
   ### display_name: Company ###
  company:
    relations:
      member: user

Data:


{
  "objects": [
    {
      "type": "company",
      "id": "1"
    },
    {
      "type": "user",
      "id": "1",
      "properties": { "security_groups": [10] }
    }
  ]
}

Relations:


{
  "relations": [
    {
      "object_type": "company",
      "object_id": "1",
      "relation": "member",
      "subject_type": "user",
      "subject_id": "1"
    }
  ]
}

Evaluation:


{
  "assertions": [
    {
      "check_decision": {
        "identity_context": { "identity": "1", "type": "IDENTITY_TYPE_SUB" },
        "resource_context": { "object_type": "company", "object_id": "1" },
        "policy_context": { "path": "does_not_matter", "decisions": ["allowed"] }
      },
      "expected": true
    }
  ]
}

ghost avatar Aug 14 '25 23:08 ghost

Currently, this is by design, allowing users to have multiple identities associated with a single digital user instance. While I understand that this design is not everyone's choice, that is what the implementation is based on today.

I can investigate what it would take to change, which I have done before. The problem is that this requires a breaking API change, as we need to make the targetting object type an input in the identity context.

gertd avatar Aug 15 '25 08:08 gertd