This repository demonstrates a working implementation of Oso in an AWS Lambda context using TypeScript, and being deployed with Serverless Framework. When deployed, it will first pass the request through an Oso-powered Lambda authorizer on AWS API Gateway, and successful calls will be fed into a very basic function responding with OK.
Note: Uses and adapts the same quickstart example as Oso provides.
Oso uses proprietary files in the .polar format to store the policies it will use.
Assets and files like that tend to cause problems with bundlers, like Webpack, which are incredibly common (and useful) when building web applications.
Despite trying several solutions for a few hours I was unable to get everything working the way you might expect with Webpack, Serverless Framework, and serverless-offline.
While other, older Oso examples work just fine, they are unfortunately written in "old-style" Node and are in plain JS rather than TypeScript.
I had to strike a compromise where this solution is able to use TypeScript and Serverless Framework, but in which we will trade away some of the packaging automation. The way this is achieved is by doing the packaging step manually, so that we can be very precise with how we pull in the right materials. Therefore, it does not use the built in packaging from Serverless Framework.
In closing: The particular type of solution provided here would therefore work best in a situation where you can deploy the authorizer (in which we use Oso here) separately from any other application stacks. Else you will have to do some hooking and wiring to not break the regular bundling that you will expect for the other microservices.
First you will have to build the application with npm run package.
Deploy the stack with npm run deploy.
Copy the URL and use it as below.
Call the deployed endpoint and set an Authorization header. To define your identity and the "requested" use, we will be using that Authorization header.
- A combination such as
Authorization: graham#osowill work. - However,
Authorization: graham#gmailwill not work.
To better understand the specifics of the permissions model, see repositoriesDb and usersDb in index.ts, as well as how they relate to the policy defined in policy.polar.
Run npm run teardown.