Mastering HTTP API Authentication & RBAC with Casbin: A Hands‑On Guide

Authentication and Authorization

Authentication verifies that the presented credentials (e.g., username and password) belong to the requester, establishing the identity of the caller. Authorization determines whether the authenticated identity is permitted to perform a specific action. An API can successfully authenticate a request but still deny it during the authorization step.

Casbin Model Syntax

Casbin uses a plain‑text model file to describe the request format, policy storage, role hierarchy, effect evaluation, and matchers. The essential sections are:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act

Policy Definition Example

p, alice, data1, read
p, bob, data2, write
p, data2_admin, data2, read
p, data2_admin, data2, write

g, alice, data2_admin

Two users (alice, bob), one role (data2_admin), and alice inherits the role.

Request Validation Example

alice, data2, read

true

PHP Implementation with Casbin

Add permissions for individual users

Assign permissions to the role data2_admin Grant the role to a user

Resulting policy rules stored in the adapter/database

Verify a permission at runtime