Integrating your authorization models with applications
To implement Amazon Verified Permissions in your application, you must define the policies and schema that you want your app to enforce. With your authorization model in place and tested, your next step is to start generating API requests from the point of enforcement. To do this, you must set up application logic to collect user data and populate it to authorization requests.
How an app authorizes requests with Verified Permissions
-
Gather information about the current user. Typically, a user's details are provided in the details of an authenticated session, like a JWT or web session cookie. This user data might originate from an Amazon Cognito identity source linked to your policy store or from another OpenID Connect (OIDC) provider.
-
Gather information about the resource that a user wants to access. Typically, your application will receive information about the resource when a user makes a selection that requires your app to load a new asset.
-
Determine the action that your user wants to take.
-
Generate an authorization request to Verified Permissions with the principal, action, resource, and entities for your user's attempted operation.Verified Permissions evaluates the request against the policies in your policy store and returns an authorization decision.
-
Your application reads the allow or deny response from Verified Permissions and enforces the decision on the user's request.
Verified Permissions API operations are built into AWS SDKs. To include Verified Permissions in an app, integrate the AWS SDK for your chosen language into the app package.
To learn more and download AWS SDKs, see Tools for Amazon Web Services
The following are links to documentation for Verified Permissions resources in various AWS SDKs.
The following AWS SDK for JavaScript example for IsAuthorized
originates from Simplify fine-grained authorization with Amazon Verified Permissions and Amazon Cognito
const authResult = await avp.isAuthorized({ principal: 'User::"alice"', action: 'Action::"view"', resource: 'Photo::"VacationPhoto94.jpg"', // whenever our policy references attributes of the entity, // isAuthorized needs an entity argument that provides // those attributes entities: { entityList: [ { "identifier": { "entityType": "User", "entityId": "alice" }, "attributes": { "location": { "String": "USA" } } } ] } });