Authorization as a service for your Node.js apps
Fine-grained authorization in Node.js
Authorization in Node.js
Node.js is a popular, open-source Javascript server runtime environment. Aserto is a powerful authorization-as-a-service platform that lets you add enterprise-grade role-based access control (RBAC) to your Node.js application in under a day. Quickstarts, a Node.js / Express.js SDK, and REST/gRPC APIs are available to help you get up and running.
Aserto helps you define, evolve, and enforce user permissions within your Node.js application. It’s simple to integrate, but powerful enough to support fine-grained access control, custom roles, and audit trails - all essential features for adoption within large customer organizations.
Built on trusted open-source projects like OPA and OCI, Aserto handles all the heavy lifting required to achieve secure, scalable, high-performance RBAC and attribute-based access control (ABAC).
Adding authorization to your Node.js application
Authorization should happen every time your application needs to access a protected resource on behalf of a user. To perform an authorization check, your application should call the Aserto Authorizer and pass user context (typically in the form of an access token), policy context, and resource context. The Aserto Authorizer uses the popular open-source OPA decision engine to quickly make an authorization decision based on this data. The decision returned should determine whether your application should pass or fail the request.
The Aserto Node.js SDK contains three capabilities that make it easy to add authorization to your application:
- A function called `is` which you can call with the user context, policy context, and resource context, and that returns an authorization decision.
- Middleware that can be added to an Express.js route, which calls the Aserto authorizer and will return an “access denied” response if the user isn’t authorized to perform the operation on that resource.
- A display state map for every operation, which your frontend (e.g. React) application can use to conditionally render UI based on the permissions of the current user.
Authorizer deployment options
Aserto runs a hosted authorizer as a service, which is great for development, since you don’t have to stand anything up to get started with adding authorization to your application.
For production deployments, you should deploy Aserto’s Edge Authorizer right next to your application, either as a sidecar or a microservice in the same cluster or subnet. Aserto’s control plane automatically syncs all of the user, resource, and policy data to the Edge Authorizer, so it is ready to make lightning-fast authorization decisions for your Node.js application.
Auditing authorization decisions
Aserto keeps record of every authorization decision in a decision log for easy auditing from the control plane. Decision logs can be streamed or batched up into your favorite log analysis tool. Aserto makes this data available to applications in two ways:
1. A set of bucket storage objects you can download
2. A near real-time data stream you can tap via the Aserto APIs or the Aserto CLI
The Edge Authorizer architecture
Authorization happens upon every request, so response time is critical. The Aserto Edge Authorizers are deployed as microservices or sidecars right next to your application to minimize latency and maximize availability, so your application is never dependent on the availability of a remote authorization service.
The Edge Authorizers make authorization decisions based on three important inputs:
1. Policies from your policy registry
2. Users, attributes, and roles from Identity provider, supplemented with application-specific information from the Aserto directory
3. Resource context passed by your application
Any changes made to your identity provider’s directory are automatically synchronized into the Aserto directory, so your authorization decisions are always up-to-date. Aserto pushes any updates to your Edge Authorizer in near real time. Alternatively, the system can be configured to update on an interval determined by the application administrator.
Leveraging the policy, user, and resource contexts, Aserto makes it easy to evolve your authorization from coarse-grained RBAC to fine-grained authorization using ABAC, Access-control lists (ACL), or a mix thereof to meet the needs of your enterprise customers as they evolve. Aserto allows you to build a strong authorization foundation once, and adapt your access control model over time to match your customers’ requirements.
Aserto also comes with the following benefits:
- Out-of-the-box support for audit trails, custom roles, RBAC, ABAC, and ACL
- A policy-as-code workflow to build, tag, push, version, and pull policy images (like docker images)
- Integrations with your identity provider, artifact registry, logging system, and frontend framework of your choice.
- Built on top of a trusted OSS policy engine, the Open Policy Agent (OPA)
Resources
