Policies

Okta FGA Authorization Policy

This policy will authorize requests using Okta FGA. If the request is not authorized, a 403 response will be returned.

Beta

This policy is in beta. You can use it today, but it may change in non-backward compatible ways before the final release.

Configuration

The configuration shows how to configure the policy in the 'policies.json' document.

{
  "name": "my-okta-fga-authz-inbound-policy",
  "policyType": "okta-fga-authz-inbound",
  "handler": {
    "export": "OktaFGAAuthZInboundPolicy",
    "module": "$import(@zuplo/runtime)",
    "options": {
      "authorizationModelId": "$env(FGA_MODEL_ID)",
      "credentials": {
        "clientId": "$env(FGA_CLIENT_ID)",
        "clientSecret": "$env(FGA_CLIENT_SECRET)"
      },
      "region": "us1",
      "storeId": "$env(FGA_STORE_ID)"
    }
  }
}

Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

  • region <string> (Required) -
    The region your store is deployed.
    Allowed values are us1, eu1, and au1.
  • storeId <string> (Required) -
    The ID of the store.
  • authorizationModelId <string> (Required) -
    The ID of the authorization model.
  • allowUnauthorizedRequests <boolean> -
    Indicates whether the request should continue if authorization fails. Default is false which means unauthorized users will automatically receive a 403 response.
    Defaults to false.
  • credentials <object> (Required) -
    • clientId <string> (Required) -
      The client ID.
    • clientSecret <string> (Required) -
      The client secret.

Using the Policy

Read more about how policies work

Previous
HMAC Auth
Next
OpenFGA Authorization