Pluggable Authorization for Blaze
Problem
Blaze does not support FHIR's authorization for resource access control.
Every deployment of Blaze may have unique authorization providers and access control protocols.
Proposed Solution
Blaze should be deployed with a jar added to the classpath during launch. The authorization jar will provide a custom middleware for handling authorization. Initialization will be managed by Integrant.
Details
- The authorization jar must be added to the classpath during launch. For example,
java -cp blaze.jar:my-authorization.jar blaze.core. - The fully qualified namespace must be provided with an environment variable named
AUTHORIZATION_NS. - If
AUTHORIZATION_NSis non-nil and non-empty, tryrequiring-resolveon the provided path. If error, exit with good error message without starting Integrant.- Can consider checking for the existence of the
OPENID_PROVIDER_URLenv var because theidentitykey on request will likely be required
- Can consider checking for the existence of the
- The provided namespace must extend
ig/init-key(andig/halt-key!where appropriate)ig/init-keyshould return a middleware (a function that takesrequestas the only argument)- Can consider checking for the existence of the
:authorizationinit-keymethod using(keys (methods ig/init-key))after usingrequiring-resolveonAUTHORIZATION_NS
Pros and Cons
Pros
- Custom authorization implementation for every Blaze deployment
- Blaze needs to know nothing about configuration for the authorization service
- Fail fast if authorization namespace cannot be found
- Leverage existing Integrant+middleware architecture
Cons
- Configuration of the authorization service (for example, database) will take more effort than a solution integrated directly into Blaze