开放的 Casbin API
介绍
Let's assume that your application's front-end has obtained the access_token
of the logged-in user and now wants to authenticate the user for some access. You cannot simply place the access_token
into the HTTP request header to use these APIs because Casdoor uses the Authorization
field to check the access permission. Like any other APIs provided by Casdoor, the Authorization
field consists of the application client id and secret, using the Basic HTTP Authentication Scheme. It looks like Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>
. 因此,Casbin API 应当被应用的后端服务器调用。 Here are the steps on how to do it.
Take the app-vue-python-example application in the demo site for example, the authorization header should be: Authorization: Basic 294b09fbc17f95daf2fe dd8982f7046ccba1bbd7851d5c1ece4e52bf039d
.
- The front-end passes the
access_token
to the backend server through the HTTP request header. - The backend server retrieves the user id from the
access_token
.
As a note in advance, these interfaces are also designed (for now) for the (sub, obj, act)
model. The permissionId
in the URL parameters is the identity of the applied permission policy, which consists of the organization name and the permission policy name (i.e., organization name/permission name
). The body is the request format defined by the Casbin model of the permission, usually representing sub
, obj
and act
respectively.
除了请求强制执行权限控制的 API 接口以外,Casdoor 也提供了其它一些有助于外部应用获取权限策略信息的接口,也一并列在此处。
Enforce
请求:
curl --location --request POST 'http://localhost:8000/api/enforce?permissionId=example-org/example-permission' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>' \
--data-raw '["example-org/example-user", "example-resource", "example-action"]'
响应:
{
"status": "ok",
"msg": "",
"sub": "",
"name": "",
"data": [
true
],
"data2": null
}
BatchEnforce
请求:
curl --location --request POST 'http://localhost:8000/api/batch-enforce?permissionId=example-org/example-permission' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>' \
--data-raw '[["example-org/example-user", "example-resource", "example-action"], ["example-org/example-user2", "example-resource", "example-action"], ["example-org/example-user3", "example-resource", "example-action"]]'
响应:
{
"status": "ok",
"msg": "",
"sub": "",
"name": "",
"data": [
[
true,
true,
false
]
],
"data2": null
}
GetAllObjects
请求:
curl --location --request GET 'http://localhost:8000/api/get-all-objects' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'
响应:
[
"app-built-in"
]
GetAllActions
请求:
curl --location --request GET 'http://localhost:8000/api/get-all-actions' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'
响应:
[
"read",
"write",
"admin"
]
GetAllRoles
请求:
curl --location --request GET 'http://localhost:8000/api/get-all-roles' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'
响应:
[
"role_kcx66l"
]