Oso is a batteries-included framework for building authorization in your application.

Oso

Development GitHub release (latest SemVer) Go version Maven version NPM version PyPI version RubyGems version Crates.io version Slack

What is Oso?

Oso is a batteries-included framework for building authorization in your application.

With Oso, you can:

  • Model: Set up common permissions patterns like role-based access control (RBAC) and relationships using Oso’s built-in primitives. Extend them however you need with Oso’s declarative policy language, Polar.
  • Filter: Go beyond yes/no authorization questions. Implement authorization over collections too - e.g., “Show me only the records that Juno can see.”
  • Test: Write unit tests over your authorization logic now that you have a single interface for it. Use the Oso debugger or REPL to track down unexpected behavior.

Oso offers libraries for Node.js, Python, Go, Rust, Ruby, and Java.

Our latest creation Oso Cloud (Preview) makes authorization across services as easy as oso.authorize(user, action, resource). Learn about it.

Documentation

Community & Support

If you have any questions on Oso or authorization more generally, you can join our engineering team & hundreds of other developers using Oso in our community Slack:

Button

Share your story

We'd love to hear about your use case and experience with Oso. Share your story in our Success Stories issue or fill out this form for some Oso swag.

Development

Core

Oso's Rust core is developed against Rust's latest stable release.

Language libraries

Oso's language libraries can be developed without touching the Rust core, but you will still need the Rust stable toolchain installed in order to build the core.

To build the WebAssembly core for the Node.js library, you will need to have wasm-pack installed and available on your system PATH.

Language requirements

To work on a language library, you will need to meet the following version requirements:

  • Java: 10+
    • Maven: 3.6+
  • Node.js: 12.20.0+
    • Yarn 1.22+
  • Python: 3.6+
  • Ruby: 2.4+
    • Bundler 2.1.4+
  • Rust: 1.46+
  • Go: 1.14+

Contributing & Jobs

See: CONTRIBUTING.md.

If you want to work on the Oso codebase full-time, visit our jobs page.

License

See: LICENSE.

Owner
Oso
Putting security into the hands of developers
Oso
Comments
  • Oso does not support Kotlin data classes

    Oso does not support Kotlin data classes

    Hey 👋 Finally getting around to trialing Oso as an auth solution for a Kotlin application that I'm building.

    However, it seems that Oso does not support Kotlin data classes :( Or, as is always possible... I'm just doing something dumb

    I am trying to emulate the Java quickstart example, with a User trying to read from a repository.

    I have the following models

    data class Repo(
      val id: UUID,
      val name: String,
      val isPublic: Boolean
    )
    
    data class User (
      val id: UUID,
      val email: String,
      val repoRoles: List<RepoRole>
    )
    

    I have set up OSO with the following

    private val oso: Oso = Oso()
    
    init {
      // On a tangent... it doesn't seem to even load 
      // unless I explicitly repeat the class name as the second param
      oso.registerClass(Repo::class.java, "Repo")
      oso.registerClass(User::class.java, "User")
      oso.loadStr(
        """
    allow(actor, action, resource) if
    has_permission(actor, action, resource);
    
    actor User {}
    
    resource Repo {
    permissions = ["read", "push", "delete"];
    roles = ["contributor", "maintainer", "admin"];
    
    "read" if "contributor";
    "push" if "maintainer";
    "delete" if "admin";
    
    "maintainer" if "admin";
    "contributor" if "maintainer";
    }
    
    # This rule tells Oso how to fetch roles for a Repo
    has_role(actor: User, role_name: String, Repo: Repo) if
    role in actor.repoRoles and
    role_name = role.name and
    Repo = role.Repo;
    
    has_permission(_actor: User, "read", Repo: Repo) if
    Repo.isPublic;
    
    allow(actor, action, resource) if
    has_permission(actor, action, resource);
    """.trimIndent()
      )
    }
    

    Just as a test, I have created a repo with isPublic=true with name test. However, when I run the following

    fun readByName(name: String): RepoModels.Response {
        val result = Repo(
          id = UUID.randomUUID(),
          name = name,
          isPublic = true
        )
        val user = User(
          id = UUID.randomUUID(),
          email = "[email protected]",
          repoRoles = listOf(RepoRole(role = "admin", repo = result))
        )
        oso.authorize(user, "read", result)
        return RepoModels.Response.fromRepo(result)
      }
    

    I get an authorization error from oso

    com.osohq.oso.Exceptions$NotFoundException: Oso NotFoundException -- The current user does not have permission to read the given resource. You should handle this error by returning a 404 error to the client.
    	at com.osohq.oso.Oso.authorize(Oso.java:110)
    	at com.osohq.oso.Oso.authorize(Oso.java:118)
    	at io.bkbn.sourdough.api.service.RepoService.readByName(RepoService.kt:81)
            // ...
    

    If it helps, I have pushed all of this code to a repo https://github.com/bkbnio/oso-poc Instructions in the README for how to run the app. If you have any issues with getting it set up just let me know :)

    You can emulate this error by running GET localhost:8080/repo?name=test

  • [python] Allow use of other JSON encoder/decoders

    [python] Allow use of other JSON encoder/decoders

    Thanks for oso!

    It would be lovely if there was a simple way for polar to make use of other, more performant JSON encoder/decoder libraries.

    For example, by monkeypatching the rust-based orjson into polar.(cffi|query|errors), I've observed calls to json.loads pretty much disappearing into noise when profiled with pyinstrument, whereas previously it was rather pronounced.

  • Fix macro namespacing and serialization bugs

    Fix macro namespacing and serialization bugs

    Though polar_core macros are exposed publicly, they are not usable without importing polar_core::* since they expect other polar_core macros to be in scope. Using $crate references as appropriate fixes this. Also, fix a Value::String string injection bug and Operator::Dot bug causing incorrect serialization when the second argument is a Value::String that requires quotes.

    PR checklist:

    • [x] Added changelog entry.
  • Update django-oso to use automatic AppConfig discovery for Django 3.2+

    Update django-oso to use automatic AppConfig discovery for Django 3.2+

    Update django-oso to use automatic AppConfig discovery for Django 3.2+ which avoids RemovedInDjango41Warning: 'django_oso' defines default_app_config = 'django_oso.apps.DjangoOsoConfig'. Django now detects this configuration automatically. You can remove default_app_config. warning. See https://docs.djangoproject.com/en/3.2/releases/3.2/#automatic-appconfig-discovery

  • [Ask] Go (Golang) Oso performance improvement advice

    [Ask] Go (Golang) Oso performance improvement advice

    Context:

    We're using go-oso v0.26.0 (github.com/osohq/go-oso)

    We have a strict timeout which is 2s. If the request exceeded 2s, we would automatically return a timeout response. After digging deeper through profiling, we found that the Oso Go library takes at least 2s for some requests every 1-hour interval. image

    Asks

    • Any advice on how we can improve this? Every 1 hour, our response time will increase up to 2-5s, when it's normally on P95 around 30ms. Could it be the GC issue?
    • Any best practice that we can follow?
  • Parametrized Action / Ternary authorization

    Parametrized Action / Ternary authorization

    Hi,

    I have an authorization scenario which I find myself unable to implement, and the documentation / tutorials on the docs.osohq website don't seem to mention such a scenario at all:

    I have an Event class with attendees, and some of the attendees are managers. The troublesome case is the following: Managers of an Event can remove attendees unless the attendee to be removed is another manager. has_permission(p: Person, "remove", e: Event)` where p is the actor, does not do it because the person to be removed is not referenced. The problem is that the action must be of type string.

    What is the typical way to handle such a policy? It seems to be common enough.

    Some additional thoughts I explored:

    • adding oso.authorize(current_user, "remove_attendee", event) and `oso.authorize(current_user, "remove_attendee", attendee) as separate enforcement checks does not suffice.
    • adding a Relation during class registration does not help either. It might give us access to the list of managers of the event, but the relevant parameter (namely which attendee we are trying to remove) is still missing.

    Is this scenario not enforceable with the current API of strictly only string-type actions or have I overlooked something in the documentation? If it is possible, an example in the tutorials would probably be great, since this type of access policy is probably fairly common.

    Thanks for commenting

Example of a simple application which is powered by a third-party oAuth 2.0 server for it's authentication / authorization. Written in Golang.

go mod init github.com/bartmika/osin-thirdparty-example go get github.com/spf13/cobra go get github.com/openshift/osin go get github.com/openshift/osi

Jan 4, 2022
Mini-framework for multiple authentication and authorization schemes
Mini-framework for multiple authentication and authorization schemes

Go authorization pattern This repository demonstrates an authorization pattern that allows multiple schemes. Demo To start the demo run the following

Dec 30, 2021
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang

Casbin News: still worry about how to write the correct Casbin policy? Casbin online editor is coming to help! Try it at: https://casbin.org/editor/ C

Jan 2, 2023
⛩️ Go library for protecting HTTP handlers with authorization bearer token.

G8, pronounced Gate, is a simple Go library for protecting HTTP handlers with tokens. Tired of constantly re-implementing a security layer for each

Nov 14, 2022
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang

Casbin News: still worry about how to write the correct Casbin policy? Casbin online editor is coming to help! Try it at: https://casbin.org/editor/ C

Jan 4, 2023
Go library providing in-memory implementation of an OAuth2 Authorization Server / OpenID Provider

dispans Go library providing in-memory implementation of an OAuth2 Authorization Server / OpenID Provider. The name comes from the Swedish word dispen

Dec 22, 2021
ACL, RBAC, ABAC authorization middleware for KubeSphere

casbin-kubesphere-auth Casbin-kubesphere-auth is a plugin which apply several security authentication check on kubesphere via casbin. This plugin supp

Jun 9, 2022
an stateless OpenID Connect authorization server that mints ID Tokens from Webauthn challenges

Webauthn-oidc Webauthn-oidc is a very minimal OIDC authorization server that only supports webauthn for authentication. This can be used to bootstrap

Nov 6, 2022
policy - the CLI for managing authorization policies
 policy - the CLI for managing authorization policies

policy - the CLI for managing authorization policies The policy CLI is a tool for building, versioning and publishing your authorization policies. It

Dec 30, 2022
telegram authorization in telegram without using a widget

TGAH - telegram Authorization Example of authorization in telegram without using a widget Installation go get -d github.com/tioffs/tgah@master Setti

Jun 6, 2022
Authorization As A Service

a3s NOTE: this is a work in progress and this software is not usable yet a3s (stands for Auth As A Service) is an authentication and ABAC authorizatio

Dec 14, 2022
A demo of authentication and authorization using jwt
A demo of authentication and authorization using jwt

Nogopy Hi, this a demo of how to use jwt for authentication in microservices Keep in mind that this is a demo of how to authenticate using jwt, we don

Nov 1, 2021
Backend Development Rest Api Project for book management system. Used Features like redis, jwt token,validation and authorization.

Golang-restapi-project Simple Rest Api Project with Authentication, Autherization,Validation and Connection with redis File Structure ├── cache │ ├──

May 25, 2022
A library for Go client applications that need to perform OAuth authorization against a server
A library for Go client applications that need to perform OAuth authorization against a server

oauth-0.8.0.zip oauth A library for Go client applications that need to perform OAuth authorization against a server, typically GitHub.com. Traditiona

Oct 13, 2021
Authelia: an open-source authentication and authorization server providing two-factor authentication
Authelia: an open-source authentication and authorization server providing two-factor authentication

Authelia is an open-source authentication and authorization server providing two

Jan 5, 2022
🔑 Authz0 is an automated authorization test tool. Unauthorized access can be identified based on URL and Role.
🔑 Authz0 is an automated authorization test tool. Unauthorized access can be identified based on URL and Role.

Authz0 is an automated authorization test tool. Unauthorized access can be identified based on URL and Role. URLs and Roles are managed as YAML-based

Dec 20, 2022
Goauth: Pre-made OAuth/OpenIDConnect and general authorization hooks for webapp login

goauth Pre-made OAuth/OpenIDConnect and general authorization hooks for webapp login. Currently supports Google, Facebook and Microsoft "out of the bo

Jan 28, 2022
Go-auth - An authorization project using mongoDB, JWT and Go
Go-auth - An authorization project using mongoDB, JWT and Go

Ssibrahimbas Go-Auth An authorization project using mongoDB, JWT and Go. API Typ

Mar 10, 2022
The forward-auth server for API keys authorization
The forward-auth server for API keys authorization

Token-login The authorization system based on tokens. Token-login is a server that functions as a forward auth server and provides an authorization fl

May 6, 2023