Policies

OpenFGA Authorization Policy

This policy will authorize requests using OpenFGA. If the request is not authorized, a 403 response will be returned.

Beta

This policy is in beta. You can use it today, but it may change in non-backward compatible ways before the final release.

Configuration

The configuration shows how to configure the policy in the 'policies.json' document.

{
  "name": "my-openfga-authz-inbound-policy",
  "policyType": "openfga-authz-inbound",
  "handler": {
    "export": "OpenFGAAuthZInboundPolicy",
    "module": "$import(@zuplo/runtime)",
    "options": {
      "apiUrl": "https://api.us1.fga.dev",
      "authorizationModelId": "$env(FGA_MODEL_ID)",
      "credentials": {
        "method": "client-credentials",
        "clientId": "$env(FGA_CLIENT_ID)",
        "clientSecret": "$env(FGA_CLIENT_SECRET)",
        "apiAudience": "https://api.us1.fga.dev/",
        "oauthTokenEndpointUrl": "https://fga.us.auth0.com/oauth/token"
      },
      "storeId": "$env(FGA_STORE_ID)"
    }
  }
}

Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

  • apiUrl <string> (Required) -
    The URL of the OpenFGA service.
  • storeId <string> (Required) -
    The ID of the store.
  • authorizationModelId <string> (Required) -
    The ID of the authorization model.
  • allowUnauthorizedRequests <boolean> -
    Indicates whether the request should continue if authorization fails. Default is false which means unauthorized users will automatically receive a 403 response.
    Defaults to false.
  • credentials <object | object | object | object> (Required) -

Using the Policy

Read more about how policies work

Previous
Okta FGA Authorization
Next
Axiomatics Authorization