Authorization
#Okta FGA Authorization Policy
This policy will authorize requests using Okta FGA. If the request is not authorized, a 403 response will be returned.
Beta
This policy is in beta. You can use it today, but it may change in non-backward compatible ways before the final release.
#Configuration
The configuration shows how to configure the policy in the 'policies.json' document.
{
"name": "my-okta-fga-authz-inbound-policy",
"policyType": "okta-fga-authz-inbound",
"handler": {
"export": "OktaFGAAuthZInboundPolicy",
"module": "$import(@zuplo/runtime)",
"options": {
"authorizationModelId": "$env(FGA_MODEL_ID)",
"credentials": {
"clientId": "$env(FGA_CLIENT_ID)",
"clientSecret": "$env(FGA_CLIENT_SECRET)"
},
"region": "us1",
"storeId": "$env(FGA_STORE_ID)"
}
}
}json#Policy Configuration
name<string>- The name of your policy instance. This is used as a reference in your routes.policyType<string>- The identifier of the policy. This is used by the Zuplo UI. Value should beokta-fga-authz-inbound.handler.export<string>- The name of the exported type. Value should beOktaFGAAuthZInboundPolicy.handler.module<string>- The module containing the policy. Value should be$import(@zuplo/runtime).handler.options<object>- The options for this policy. See Policy Options below.
#Policy Options
The options for this policy are specified below. All properties are optional unless specifically marked as required.
region(required)<string>- The region your store is deployed. Allowed values areus1,eu1,au1.storeId(required)<string>- The ID of the store.authorizationModelId(required)<string>- The ID of the authorization model.allowUnauthorizedRequests<boolean>- Indicates whether the request should continue if authorization fails. Default isfalsewhich means unauthorized users will automatically receive a 403 response. Defaults tofalse.credentials(required)<object>- No description available.clientId(required)<string>- The client ID.clientSecret(required)<string>- The client secret.
#Using the Policy
Read more about how policies work