Welcome to Doorman’s documentation!

_images/logo.svg

Doorman is an authorization micro-service that allows to checks if an arbitrary subject is allowed to perform an action on a resource, based on a set of rules (policies).

Having a centralized access control service has several advantages:

  • it clearly dissociates authentication from authorization
  • it provides a standard and generic permissions system to services developers
  • it facilitates permissions management across services (eg. makes revocation easier)
  • it allows authorizations monitoring, metrics, anomaly detection

Workflow

_images/flow.png

It relies on OpenID Connect to authenticate requests. The policies are defined per service and loaded in memory. Authorization requests are logged out.

When a service takes advantage of Doorman, a typical workflow is:

  1. Users obtain an access token from an Identity Provider (eg. Auth0)
  2. They use it to call a service API endpoint
  3. The service posts an authorization request on Doorman to check if the user is allowed to perform a specific action
  4. Doorman uses the Origin request header to select the set of policies to match
  5. Doorman fetches the user infos using the provided access token and builds a list of strings (principals) to characterize this user
  6. Doorman matches the policies and returns if allowed or not, along with the list of principals
  7. Based on the Doorman response, the service denies the original request or executes it

Indices and tables