Cedarling Quick Start 2 (Signed)#

Introduction#

Jans Tarp is a browser plugin that enables developers to test OpenID Connect flows. It embeds the Cedarling WASM PDP and lets us test Cedar with real JWTs. This guide demonstrates Role Based Access Control (RBAC) using three steps:

Create Cedar policy and schema
Configure Tarp with the policy store
Test the policy using Cedarling

Prerequisites#

Install Jans Tarp in Firefox or Chrome:

Download Tarp
Firefox:
about:debugging → This Firefox → Load Temporary Add-on → select ZIP
Chrome:
Extract ZIP → Settings > Extensions → Enable Developer Mode → Load Unpacked → select folder

Cedar Policy#

This demo policy grants access only to users with the SupremeRuler role:

@id("allow_supreme_ruler")
permit(
  principal in Jans::Role::"SupremeRuler",
  action,
  resource
);

Create Cedar Policy and Schema#

Cedarling needs policies and a schema to authorize access. These are bundled in a policy store (a JSON file). To create one, use Agama Lab’s Policy Designer, which provides a visual tool to define entities, actions, resources, and policies.

Follow this video walkthrough:

agama-lab-policy-store

Inputs:

Schema:
Add entity Object (no attributes)
Add Object to the Read action as a resource
Policy: Use the policy above
Trusted Issuers:
Name: testIdp
Description: Test IDP
OIDC Config URL: https://test-jans.gluu.info/.well-known/openid-configuration

Token Metadata:

{
  "access_token": {
    "trusted": true,
    "entity_type_name": "Jans::Access_token",
    "required_claims": ["jti", "iss", "aud", "sub", "exp", "nbf"],
    "principal_mapping": ["Jans::Workload"]
  },
  "id_token": {
    "trusted": true,
    "entity_type_name": "Jans::id_token"
  },
  "userinfo_token": {
    "trusted": true,
    "entity_type_name": "Jans::Userinfo_token",
    "principal_mapping": ["Jans::User"]
  }
}

At the end, copy the generated policy store URI for the next step.

Configure Tarp with the policy store#

Open Tarp
Add Client:
Issuer: https://test-jans.gluu.info
Expiry: The day after today
Scopes: openid, profile, role
Click Register
Go to Cedarling → Add Configurations
Paste the config below (replace <Policy Store URI>):

    {
      "CEDARLING_APPLICATION_NAME": "My App",
      "CEDARLING_POLICY_STORE_URI": "<Policy Store URI>",
      "CEDARLING_LOG_TYPE": "std_out",
      "CEDARLING_LOG_LEVEL": "INFO",
      "CEDARLING_USER_AUTHZ": "enabled",
      "CEDARLING_WORKLOAD_AUTHZ": "disabled",
      "CEDARLING_PRINCIPAL_BOOLEAN_OPERATION": {
        "===": [{"var": "Jans::User"}, "ALLOW"]
      },
      "CEDARLING_JWT_SIG_VALIDATION": "disabled",
      "CEDARLING_JWT_STATUS_VALIDATION": "disabled",
      "CEDARLING_MAPPING_USER": "Jans::User",
      "CEDARLING_MAPPING_WORKLOAD": "Jans::Workload",
      "CEDARLING_JWT_SIGNATURE_ALGORITHMS_SUPPORTED": [
        "HS256", "RS256"
      ],
      "CEDARLING_ID_TOKEN_TRUST_MODE": "none",
      "CEDARLING_LOCK": "disabled",
      "CEDARLING_LOCK_DYNAMIC_CONFIGURATION": "disabled",
      "CEDARLING_LOCK_LISTEN_SSE": "disabled"
    }

Click Save to initialize Cedarling.

Test the policy using cedarling#

In Tarp, click the ⚡ icon to begin authentication
Input:
ACR: basic
Scopes: openid, profile, role
Login on the test IDP with a user having SupremeRuler role
Click Allow on the consent screen
Back in Tarp, open Cedarling Authz Request Form
Input:
Principal: select all 3 tokens
Action: Jans::Action::"Read"

Resource:

{
  "entity_type": "resource",
  "type": "Jans::Object",
  "id": "some_id"
}

Click Cedarling Authz Request

Sample Response:

{
  ...
  "decision": true,
  "request_id": "019602f1-c964-7dbb-8a07-5b66b642e502"
}

The top-level decision: true confirms successful authorization.

Sequence diagram#

View full diagram here

Last update: 2025-04-09
Created: 2025-04-09