Skip to content

Cedarling Design `authorize_multi_issuer` Tasks

Jump to bottom
Michael Schwartz edited this page Sep 5, 2025 · 2 revisions

Implementation Plan

  • 1. Create core interfaces and data structures

    • Define TokenInput interface with mapping and payload fields
    • Define AuthorizeMultiIssuerRequest interface with tokens array, resource, action, and context fields
    • Create generic Token entity structure with tags for Cedar compatibility
    • Create TokenCollection entity structure with secure flattened naming based on trusted issuer metadata
    • Requirements: 4.1, 4.2, 5.1, 5.4, 10.1

  • 2. Implement three-phase token validation system

    • 2.1 Create signature validation component

      • Implement JWT signature verification using existing Cedarling capabilities
      • Create validation result structure to track success/failure with details
      • Write unit tests for signature validation with valid and invalid tokens
      • Requirements: 9.1, 9.4, 6.1

    • 2.2 Create content validation component

      • Implement JWT claims validation for exp, nbf, iat, and time-based constraints
      • Create specific error messages for each type of content validation failure
      • Write unit tests for content validation with expired, not-yet-valid, and valid tokens
      • Requirements: 9.2, 9.4, 6.2

    • 2.3 Create status check validation component

      • Implement OAuth Status List JWT validation to check token active status
      • Handle revoked and inactive token scenarios with appropriate logging
      • Write unit tests for status check with active, revoked, and inactive tokens
      • Requirements: 9.3, 9.4, 6.3

  • 3. Implement dynamic entity factory with Set-based claim storage

    • 3.1 Create dynamic Cedar entity creation system

      • Implement entity creation based on arbitrary mapping strings (e.g., "Acme::DolphinToken")
      • Create Cedar entities without pre-defined schemas using dynamic mapping
      • Create entity with token_type, jti, issuer, and validated_at fields, storing claims as tags
      • Support both schema-less mode (Set of String) and enhanced schema mode (proper data types)
      • Write unit tests for entity creation with standard and custom token mappings
      • Requirements: 4.3, 5.1, 5.5, 5.6, 9.8

    • 3.2 Implement Set-based claims extraction and storage

      • Extract all JWT claims as raw data without interpretation
      • Store all claims as Cedar entity tags with Set of String as default type
      • Convert single-valued claims to Sets for consistent interface
      • Support enhanced data type casting when Cedar schema is defined (DateTime, Long, Boolean)
      • Write unit tests for claims extraction and Set conversion with various JWT structures
      • Requirements: 5.5, 5.6, 9.7

  • 4. Implement token collection builder with Set-based joining logic

    • 4.1 Create token grouping by issuer and type with trusted issuer integration

      • Group tokens by issuer using trusted issuer metadata lookup
      • Group tokens by token type from mapping field
      • Implement issuer auto-discovery for new issuers using OpenID Connect Discovery
      • Cache discovered metadata in trusted issuer configuration
      • Write unit tests for token grouping with multiple issuers and auto-discovery scenarios
      • Requirements: 4.5, 5.2, 5.4, 10.1

    • 4.2 Implement Set-based token joining for same type/same issuer

      • Union all claims into Sets using Set union operations, preserving all values
      • Create comprehensive Sets even for traditionally single-valued claims
      • Maintain complete information with no data loss during joining process
      • Handle validation failures by excluding failed tokens from joins
      • Write unit tests for Set-based token joining with various claim combinations
      • Requirements: 5.2, 5.3, 9.6

    • 4.3 Create secure flattened naming convention system

      • Implement naming pattern: {trusted_issuer_name}_{token_type_simplified}
      • Use trusted issuer metadata name field for issuer prefix when available
      • Preserve complete domain structure without removing common prefixes for security
      • Create token type simplification logic (e.g., "Jans::Access_Token" → "access_token")
      • Log complete mapping from original issuer to final field name for security auditing
      • Write unit tests for secure naming convention with various issuer and token type combinations
      • Requirements: 5.4, 10.1, 10.2, 10.3, 10.4, 10.6

  • 5. Implement graceful error handling and logging

    • 5.1 Create validation failure logging system

      • Log signature validation failures with token identifier and cryptographic details
      • Log content validation failures with specific claim issues
      • Log status check failures with OAuth Status List results
      • Ensure sensitive token information is properly sanitized in logs
      • Write unit tests for logging output with various failure scenarios
      • Requirements: 9.4, 6.1, 6.2, 10.4

    • 5.2 Implement graceful degradation logic

      • Continue processing remaining tokens when individual tokens fail validation
      • Exclude failed tokens from Cedar entity mapping and memory
      • Proceed with token joining using only valid tokens
      • Write unit tests for mixed valid/invalid token scenarios
      • Requirements: 9.5, 9.6

  • 6. Create authorize_multi_issuer method implementation

    • 6.1 Implement main authorization method

      • Accept AuthorizeMultiIssuerRequest with token array
      • Orchestrate three-phase validation for all tokens
      • Create dynamic entities for valid tokens
      • Build token collection with joining logic
      • Write unit tests for complete authorization flow
      • Requirements: 1.1, 1.2, 1.3

    • 6.2 Integrate with Cedar policy evaluation using tag syntax

      • Pass flattened token collection to Cedar policy engine with secure naming
      • Ensure policies can access tokens via Cedar tag syntax (hasTag/getTag)
      • Support policy evaluation with Set-based claim access using contains() and containsAny()
      • Support numeric claims with Set of Long operations
      • Write unit tests for policy evaluation with token collection context and tag syntax
      • Requirements: 3.1, 3.2, 3.3, 3.4, 3.5

  • 7. Implement comprehensive error response handling

    • Create detailed error responses indicating which tokens failed and why
    • Provide context about which tokens were successfully processed
    • Include validation failure details in authorization response
    • Write unit tests for error response formatting with various failure combinations
    • Requirements: 6.1, 6.2, 6.3, 6.4

  • 8. Create integration tests for multi-issuer scenarios

    • 8.1 Test federation scenarios with multiple identity providers

      • Test tokens from different issuers (Google, corporate IDP, etc.)
      • Validate cross-issuer policy evaluation capabilities
      • Test issuer trust relationship handling
      • Requirements: 7.1, 7.2, 7.3, 7.4

    • 8.2 Test custom token type scenarios

      • Test arbitrary token mappings like "Acme::DolphinToken"
      • Validate dynamic entity creation for custom types
      • Test policy evaluation with custom token types
      • Requirements: 2.1, 4.3

  • 9. Implement performance optimizations

    • 9.1 Add parallel token validation processing

      • Implement concurrent validation for multiple tokens where possible
      • Ensure thread safety for validation operations
      • Write performance tests measuring validation timing
      • Requirements: 8.1

    • 9.2 Add token caching capabilities

      • Implement caching for validated tokens to avoid redundant processing
      • Handle cache invalidation for expired or revoked tokens
      • Write tests for caching behavior and performance improvements
      • Requirements: 8.2

  • 10. Create policy example test suite with Cedar tag syntax

    • 10.1 Test basic token query policies with hasTag/getTag syntax

      • Create test cases for issuer-specific claim checking using getTag("claim").contains("value")
      • Test scope-based authorization policies with single tokens using Set operations
      • Validate token existence checking with "context has tokens.issuer_token" syntax
      • Write unit tests for basic token query policy evaluation with correct Cedar syntax
      • Requirements: 3.1, 3.2, 3.4

    • 10.2 Test multi-token scope requirement policies with Set operations

      • Create test scenarios with tokens from different issuers using OR logic
      • Test scope checking across multiple access tokens with getTag("scope").contains()
      • Validate cross-issuer scope aggregation policies with Set-based operations
      • Write unit tests for multi-token scope requirement evaluation
      • Requirements: 3.3, 3.5, 7.3

    • 10.3 Test joined token query policies with Set union behavior

      • Create test cases for combined scope checking within joined tokens using Set operations
      • Test policies that require multiple scopes from same issuer with getTag().contains()
      • Validate Set union behavior in joined token claim aggregation
      • Write unit tests for joined token policy scenarios with Set-based claims
      • Requirements: 5.2, 5.3, 3.2

    • 10.4 Test custom token type policies with dynamic entities

      • Create test cases for arbitrary token mappings like "Acme::DolphinToken"
      • Test custom claim validation in non-standard token types using tag syntax
      • Validate dynamic entity creation with custom token policies
      • Write unit tests for custom token type policy evaluation with Set-based claims
      • Requirements: 2.1, 4.3, 5.1

    • 10.5 Test multi-issuer validation policies with trusted issuer naming

      • Create test scenarios requiring tokens from multiple specific issuers
      • Test enterprise security policies with secure issuer naming conventions
      • Validate cross-issuer claim correlation using trusted issuer metadata
      • Write unit tests for multi-issuer validation policy evaluation
      • Requirements: 7.1, 7.2, 7.4, 10.1

    • 10.6 Test numeric claims with Set of Long operations

      • Create test cases for numeric clearance levels using containsAny([5, 6, 7])
      • Test user ID authorization with contains(12345) for Long values
      • Test security score requirements with Set of Long operations
      • Validate proper data type handling when Cedar schema is defined
      • Write unit tests for numeric claim policy evaluation scenarios
      • Requirements: 3.5, 5.6

  • 11. Create comprehensive test suite

    • Write end-to-end integration tests covering complete authorization flows
    • Create performance tests for large numbers of tokens
    • Implement security tests for token tampering and replay attack scenarios
    • Create policy evaluation tests with various token collection structures
    • Requirements: 8.3, 8.4, 10.1, 10.2, 10.3

Clone this wiki locally