Policy Enforcment Point
Description of Policy Enforcment Point for Altinn Studio Apps
There will be some different Policy Enforcement Points in Altinn Platform depending on the service in platform.
Attribute based authorization is best solved with Policy Based Authorization in asp.net core
The Policy Enforcement Point in the ASP.Net Web application template is created as a Authorization Handler.
In the App there is defined a set of AuthorizationRequirements and for each operation of the different API endpoints needs to be configured with the correct requirement.
Example on requirements are - InstanceRead (User/system needs to be authorized to perform read action on the instance in current state) - InstanceWrite (User/system needs to be authorized to perform write action on the instance and its data in current state) - InstanceInstantiate (user/system needs to be authorized to Instantiate an instance for an app)
The PEP will based on route data (like instanceId) and the authenticated Identity create a decision request and call PDP. Based on the response the PEP will deny or approve the user. (Deny = http 403)
The PEP validates any obligation from the PDP like minimum authentication level. If this is not valid, the request will be denied. (http 403)