isAuthorizedWithToken method
Makes an authorization decision about a service request described in the
parameters. The principal in this request comes from an external identity
source in the form of an identity token formatted as a JSON web token (JWT).
The information in the parameters can also define additional context that
Verified Permissions can include in the evaluation. The request is
evaluated against all matching policies in the specified policy store. The
result of the decision is either Allow or Deny,
along with a list of the policies that resulted in the decision.
Verified Permissions validates each token that is specified in a request by checking its expiration date and its signature.
May throw ResourceNotFoundException.
Parameter policyStoreId :
Specifies the ID of the policy store. Policies in this policy store will
be used to make an authorization decision for the input.
To specify a policy store, use its ID or alias name. When using an alias
name, prefix it with policy-store-alias/. For example:
-
ID:
PSEXAMPLEabcdefg111111 -
Alias name:
policy-store-alias/example-policy-store
Parameter accessToken :
Specifies an access token for the principal to be authorized. This token
is provided to you by the identity provider (IdP) associated with the
specified identity source. You must specify either an
accessToken, an identityToken, or both.
Must be an access token. Verified Permissions returns an error if the
token_use claim in the submitted token isn't
access.
Parameter action :
Specifies the requested action to be authorized. Is the specified
principal authorized to perform this action on the specified resource.
Parameter context :
Specifies additional context that can be used to make more granular
authorization decisions.
Parameter entities :
(Optional) Specifies the list of resources and their associated attributes
that Verified Permissions can examine when evaluating the policies. These
additional entities and their attributes can be referenced and checked by
conditional elements in the policies in the specified policy store.
-
The
IsAuthorizedWithTokenoperation takes principal attributes from only theidentityTokenoraccessTokenpassed to the operation. -
For action entities, you can include only their
IdentifierandEntityType.
Parameter identityToken :
Specifies an identity token for the principal to be authorized. This token
is provided to you by the identity provider (IdP) associated with the
specified identity source. You must specify either an
accessToken, an identityToken, or both.
Must be an ID token. Verified Permissions returns an error if the
token_use claim in the submitted token isn't id.
Parameter resource :
Specifies the resource for which the authorization decision is made. For
example, is the principal allowed to perform the action on the resource?
Implementation
Future<IsAuthorizedWithTokenOutput> isAuthorizedWithToken({
required String policyStoreId,
String? accessToken,
ActionIdentifier? action,
ContextDefinition? context,
EntitiesDefinition? entities,
String? identityToken,
EntityIdentifier? resource,
}) async {
final headers = <String, String>{
'Content-Type': 'application/x-amz-json-1.0',
'X-Amz-Target': 'VerifiedPermissions.IsAuthorizedWithToken'
};
final jsonResponse = await _protocol.send(
method: 'POST',
requestUri: '/',
exceptionFnMap: _exceptionFns,
// TODO queryParams
headers: headers,
payload: {
'policyStoreId': policyStoreId,
if (accessToken != null) 'accessToken': accessToken,
if (action != null) 'action': action,
if (context != null) 'context': context,
if (entities != null) 'entities': entities,
if (identityToken != null) 'identityToken': identityToken,
if (resource != null) 'resource': resource,
},
);
return IsAuthorizedWithTokenOutput.fromJson(jsonResponse.body);
}