See also, this Q&A.
There are products that satisfy this requirement. Back in the day of XML Web Services, there was a standard that emerged called “XACML” : extensible Access Control Markup Language. It provided a standard way to describe tuples of {subject, resource, action} with allow or deny semantics for those tuples. The subject identified the person or party requesting access, and the resource was… what you think of as a REST resource (perhaps identified by a path in the REST model), and finally the action would map to the http verb.
The idea behind the standard was that you’d be able to author rules in this XACML format and then move them into various products that would ingest XACML.
Then, at runtime, systems could send queries into the authorization server, containing that tuple, and get an “allow” or “deny” back from the server.
Though XACML provided the standard for authoring rules, there was no standard runtime query interface defined for these “authorization servers”. In other words, the way to send in a query to the IBM XACML server (I think it was called Tivoli Security Policy Manager) was entirely different from the way you’d send a query into the Oracle/Weblogic XACML server, which was called WebLogic Entitlements Server, I think. These names may have been changed by now. .
And then finally there was the Microsoft option, which was called AzMan and was part of Windows. (Deprecated since WS2012). It was not XACML compliant, but basically did the same thing as the above.
And anyway, the whole idea behind XACML was not very complicated, and moving from one way to describe those simple rules to another, was not very difficult.
Today there are more modern options like Axiomatics and others. Search on community.apigee.com for these terms and you may find some hints.
And you could even encode the authorization rules into a BaaS collection, and just query BaaS. If your requirements for authoring, auditing, reporting, and editing those authorization rules is pretty simple, something “quick and dirty” like BaaS might be acceptable. If you have requirements to show an audit trail for every change of the authorization rule set, or you need more complex ingest options, or you want to be able to stage changes, then you might want to look into a mature third party authorization control product like Axiomatics.
The key thing you need is to model the {subject, resource, action} tuple.
For example, these might be some rules:
| Subject |
Resource |
Action |
Result |
| Bob |
/xyz |
GET |
allow |
| Bob |
/xyz |
POST |
deny |
| Bob |
/abc |
GET |
allow |
| Bob |
/abc |
POST |
allow |
| Alice |
/xyz |
POST |
allow |
| Alice |
/abc |
POST |
allow |
If you are using OAuthV2 and you have tokens with scopes attached, you might want to replace the “subject” in that tuple with something like “scopeset”, which the authorization server would treat the same way as “subject”.
Some cases extend that tuple to include “environment” or “context” which might include stuff like the time of day, the number of calls made over the past hour, and so on . So a rule could deny Bob GET access to /xyz if it is past 20:00.
And then each proxy would call a ServiceCallout to the authorization server, passing the appropriate tuple, and then reject or allow the call based on the response.
Wrap that call with some caching, and you’re set for a high-throughput system.