Skip to content

docs: add Auth README #7368

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Oct 24, 2025
Merged

docs: add Auth README #7368

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b0e7c60
docs: add Auth README
sankari165 Oct 23, 2025
e710200
Update README.md
sankari165 Oct 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 63 additions & 0 deletions common/authorization/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
## Cadence has two authorizer options:

1. OAuthAuthorizer: validates JWTs issued by your Identity Provider and enforces permissions.
2. NoopAuthorizer: turns authorization off.

In order to configure, add an authorization section to Cadence server config [example](https://github.com/cadence-workflow/cadence/blob/master/config/development_oauth.yaml). These fields map 1:1 to the Go structs in [common/config](https://github.com/cadence-workflow/cadence/blob/master/common/config/authorization.go).

### Option A for OAuth : Validate tokens via JWKS


authorization:
oauthAuthorizer:
enable: true
# Reject tokens with excessively long TTL (seconds). Optional but recommended.
maxJwtTTL: 3600

# JWT verification config (algorithm + how to fetch public keys)
jwtCredentials:
algorithm: RS256 # supported: RS256
# publicKey is optional if you supply a JWKS URL (below)
# publicKey: /etc/cadence/keys/idp-public.pem

provider:
jwksURL: "https://YOUR_IDP/.well-known/jwks.json"
# Optional JSONPath-like claims locations used by Cadence:
groupsAttributePath: "groups"
adminAttributePath: "admin"

### Option B for OAuth : Validate tokens via a static public key


authorization:
oauthAuthorizer:
enable: true
maxJwtTTL: 3600
jwtCredentials:
algorithm: RS256
publicKey: /etc/cadence/keys/idp-public.pem

### NoopAuthorizer: Turning authz off


authorization:
noopAuthorizer:
enable: true

## Background

The server constructs an authorization.Attributes object for each API call (actor, API name, domain, optional workflow/tasklist), evaluates the token, and returns an allow/deny Decision. JWTs are expected to contain Cadence-specific claims including groups and (optionally) an admin flag.

### Key structs & functions:

```
authorization.Authorizer interface

authorization.Attributes

authorization.Decision

authorization.JWTClaims
```

When OAuth authZ is enabled, clients must present a valid JWT to the frontend service on every call (Cadence uses the provided token to authorize the API/Domain access). The exact header/wire placement is handled by Cadence’s server middleware and the client transport; the important bit is that the token must validate against your jwksURL/publicKey, include expected claims (groups/admin), and not exceed maxJwtTTL.
Loading