REST APIs

Services that are consumed as part of a solution must provide REST APIs that can be called by the Hub user interface.

As explained in What is required to define a solution in SPIRE? and Authorization Tokens, any API that requires authentication (which is expected to be the vast majority of a service’s API) must include code to decode the authorization token and:

Retrieve the public biscuit keys from SPIRE
For each of those keys that are still valid, see if the biscuit can be extracted from the token with that public key
If no biscuit can be extracted, report an error.
Create a biscuit authorizer that defines “now” and add a policy to tell the authorizer to allow the biscuit if the rules pass. For example:

    authorizer = Authorizer( """ time({now}); """, { 'now': int(datetime.datetime.now().timestamp())} )
    authorizer.add_token(biscuit)
    authorizer.add_policy(Policy("allow if true"))
    authorizer.authorize()

If that step completes then authorizer can be used to query for the rules that contain the permissions required by a specific API.

If AWS API Gateway is being used, steps 1-4 can be processed in a Lambda authorizer rather than within the API itself. If this is done, it separates the initial validation of the authorization token from the API code, and can allow a “default deny” to take place if anything goes wrong in the authorizer.