Verify CAS Access Token

Preface

This guide will explain how to validate a Subject's CAS access token using the CAS User Info endpoint.

It is recommended you delegate this operation to the Organisational Policy following the method described in Using Organisational Policy, however the implementation example given in Implementing Manually can be used if required.

Using Organisational Policy

When loaded, you can delegate CAS token verification decisions to the Organisational Policy Bundle by referencing the data.diamond.policy.token.subject variable in your policy and setting the USERINFO_ENDPOINT environment variable to point to the CAS User Info endpoint - e.g. https://auth.diamond.ac.uk/cas/oidc/oidcProfile.

The example below shows how you might write a system package which allows the action if input.action is "do_thing" and the input.token is for the subject "bob".

Example

system.rego

package system

import data.diamond.policy.token
import rego.v1

# METADATA
# description: Allow bob to do a thing
# entrypoint: true
main := {"allow": allow}

default allow := false

# Allow bob to do the thing
allow if {
    input.action == "do_thing"
    subject := token.verify(input.token)
    subject == "bob"
}

Implementing Manually

The data.diamond.policy.token.subject variable is implemented as an HTTP GET request to the CAS User Info Endpoint, provided by the USERINFO_ENDPOINT environment variable, as below:

package diamond.policy.token

import rego.v1

verify(token) := profile.sub if {
    profile := http.send({
        "url": opa.runtime().env.USERINFO_ENDPOINT,
        "method": "GET",
        "headers": {"authorization": token},
    })
}