unable to turn on "disclose" => true with dynamic authorization

#1

All,

How do I return true/false from the dynamic authorizer and also tell crossbar to enable caller/publisher to be disclosed for ALL calls?

I read about “From a Dynamic Authorizer” here: http://crossbar.io/docs/Publisher-Identification/

So, in crossbar, I can’t have ‘permissions’ and ‘authorizer’ at the same time? I want to turn on ‘disclose:true’ from my dynamic authorization, but currently this function just returns true or false to indicate that authorization has been allowed.

I’m using Crossbar, PHP, and Thruway to write the authorizer call:

public function apiAuthorize($args, $kwargs, $details) {
    // params
    list($info, $uri, $action) = $args;
    $authid = $info->authid ?? 0;

    // authorize all (how to add with callee/publisher disclosure?)
    return true; // new Thruway\Result([true]);

}

When I return true here, disclosure is not enabled.  This does NOT have disclose enabled:

{
“id”: “myrole”,
“name”: “myrole”,
“authorizer”: “com.example.authorizer”
}


But when I stop using a dynamic authorizer and turn on ALL permissions again, ‘disclose’ starts working:

{
    "id": "myrole",
    "name": "myrole",
    "permissions": [
        {
            "uri": "",
            "match": "prefix",
            "allow": {
                "call": true,
                "register": true,
                "publish": true,
                "subscribe": true
            },
            "disclose": {
                "caller": true,
                "publisher": true
            },
            "cache": true
        }
    ]
}
What is working and why do i need it?  In all of my RPC calls, I need to use the 'authid' to access data for only the authenticated user:

public function apiExample($args, $kwargs, $details)
{
// params
$authid = $details->caller_authid ?? 0;

    // do something with this logged in user ...

    ...

  // result

return $result;

}

If disclose is not turned on, the caller_authid is empty and I don’t know the ID of the connected client making the API call.

How do I return true/false in the dynamic authorizer and also enable caller/publisher to be disclosed for ALL calls?

– Dante

0 Likes

#2

Hi Dante,

Instead of returning True/False from your authorizer, you need to return a dict containing ‘allow’ and ‘disclose’.
From a migration perspective, an easy way switch is to wrap the return value in a function; (I’m using Python)

def do_ret(bool):
“”“Format a return value.”""
return {‘allow’: bool, ‘disclose’: True}

``

So for each instance where you might do;

return $result;

``

Instead just do;

return do_ret($result);

``

I’ve just come across the same issue upgrading, thus far this solution seems to work and be fairly painless …

docs are hiding 2/3rds of the way down this page;

http://crossbar.io/docs/Authorization/

:slight_smile: hth

0 Likes

#3

Gareth,

Yes, you got it!

From PHP/Thruway, I needed to return a dictionary with ‘allow’ set to true/false and disclose enabled. Here’s what I ended up using:

public function apiAuthorize($args, $kwargs, $details)
{
    // params
    list($info, $uri, $action) = $args;
    $authid = $info->authid ?? 0;

    // ... do something ...

    // authorize all (with callee/publisher disclosure)
    return ['allow' => true, 'disclose' => true];
}

It’s working! I’ve gone back and studied the docs link you gave me … and yes, I see it documented now:

"Note: The example here returns just a boolean which indicates whether the action is allowed or

not. Authorizers can configure additional aspects, e.g. whether a caller’s or publisher’s identity

is disclosed to the callee or subscribers. In this case, a dictionary is returned,

e.g. {“allow”: true, “disclose”: false}."

I wish all of the “additional aspects” were documented better.

Thanks for the help!

– Dante

0 Likes