Debug Access Control
Last updated
Was this helpful?
Last updated
Was this helpful?
There are 5 different ways to debug access control in Aidbox:
Access policy dev tool
__debug search parameter
x-debug header
su header
/auth/test-policy endpoint
We recommend using Access Policy Dev Tool.
Access policy dev tool simplifies development and debugging AccessPolicies. It was introduced in March v2303 release of Aidbox.
The dev tool is a part of Aidbox UI Console, which aims
to edit AccessPolicy resource, and
to give a nice view for AccessPolicy debug output for a specific request in the same place.
The dev tool is split into two sides, the editor side and the result side. On the left side, you define
HTTP request you are going to debug.
When you press the Save & Run button, the dev tool saves AccessPolicy and performs policy debug operation for the specified request, and displays the result on the right side. You can see there
Evaluate policy result. List of all access policies and the result of evaluation.
Parsed HTTP request. It's an internal representation of the request, which Aidbox passes to the eval-policy function.
By default, Aidbox sends requests with your current session (your identity and permissions). To authenticate with another session, add an Authorization
header to the request, e.g.
__debug
query-string parameterThere is a special query-string parameter __debug=policy
you can pass to every Aidbox request. It will toggle debug mode for Request Authorization Layer, and in this mode, instead of the actual response client will get an object containing:of the
full request object;
an array of existing AccessPolicies;
evaluation result for every AccessPolicy (under AccessPolicy.evalResult
).
x-debug: policy
request headerFor requests with the x-debug: policy
header, details of access policy evaluation will be logged.
su
request headersu
header allows to switch user on behalf of whom request is executed. Use su=<user/client id>
to check how access control works for that user.
Usual request without the header as an admin:
Request on behalf of User myid
who has no access to the Patient search:
/auth/test-policy
OperationYou can use a special operation POST /auth/test-policy
to design AccessPolicy without creating it.
Post on the /auth/test-policy
with:
a simulated request (you can provide existing user-id
and client-id
),
policy code in the policy attribute.
If you want to test JWT auth, put your token in the headers.authorization
with the Bearer
prefix. In this case, the token will be parsed, and its claims appear in the request.jwt
.
JWT in a header is parsed but not validated.
This allows you to test JWT policy without TokenIntrospector registration.
The response contains a result of evaluated policy.
and
To use the Access policy dev tool, setting must be enabled.
To use the header, setting must be enabled.
To use the header, setting must be enabled.
To use the header, must be enabled.