Debug access control
This guide explains how Access control debug tools work
Last updated
Was this helpful?
This guide explains how Access control debug tools work
Last updated
Was this helpful?
Aidbox offers multiple ways to debug access policies.
simplifies development & debugging AccessPolicy resources. It was introduced in March v2303 release of Aidbox.
__debug query-string parameterThere is a special query-string parameter __debug=policy you can pass to every Aidbox request. It will toggle debug mode for Request Authorization Layer, and in this mode instead of actual response client will get an object containing:
full request object;
an array of existing AccessPolicies;
evaluation result for every AccessPolicy (under AccessPolicy.evalResult).
Define AIDBOX_DEV_MODE to enable __debug parameter
x-debug: policy request headerFor requests with the x-debug: policy header, details of access policy evaluation will be logged.
su request headersu header allows to switch user on behalf of whom request is executed. Use su=<user/client id> to check how access control works for that user.
su header functionality can be enabled with box_debug_su_enable env
/auth/test-policy OperationYou can use a special operation POST /auth/test-policy to design policy without creating an AccessPolicy resource and for different users and clients. Post on the /auth/test-policy with a simulated request attribute (you can provide existing user-id and client-id — Aidbox will find and populate request) and temporal policy in the policy attribute. If you want to test JWT auth, put your token in the headers.authorization with the Bearer prefix — the token will be parsed and its claims appear in the request.jwt. JWT in a header is parsed but not validated. This allows you to test JWT policy without TokenIntrospector registration.
The response contains a result of evaluated policy.
