Zuplo DocsZuplo Docs
Authorization

#OpenFGA Authorization Policy

This policy will authorize requests using OpenFGA. If the request is not authorized, a 403 response will be returned.

Beta

This policy is in beta. You can use it today, but it may change in non-backward compatible ways before the final release.

#Configuration

The configuration shows how to configure the policy in the 'policies.json' document.

{
  "name": "my-openfga-authz-inbound-policy",
  "policyType": "openfga-authz-inbound",
  "handler": {
    "export": "OpenFGAAuthZInboundPolicy",
    "module": "$import(@zuplo/runtime)",
    "options": {
      "apiUrl": "https://api.us1.fga.dev",
      "authorizationModelId": "$env(FGA_MODEL_ID)",
      "credentials": {
        "method": "client-credentials",
        "clientId": "$env(FGA_CLIENT_ID)",
        "clientSecret": "$env(FGA_CLIENT_SECRET)",
        "apiAudience": "https://api.us1.fga.dev/",
        "oauthTokenEndpointUrl": "https://fga.us.auth0.com/oauth/token"
      },
      "storeId": "$env(FGA_STORE_ID)"
    }
  }
}
json

#Policy Configuration

  • name <string> - The name of your policy instance. This is used as a reference in your routes.
  • policyType <string> - The identifier of the policy. This is used by the Zuplo UI. Value should be openfga-authz-inbound.
  • handler.export <string> - The name of the exported type. Value should be OpenFGAAuthZInboundPolicy.
  • handler.module <string> - The module containing the policy. Value should be $import(@zuplo/runtime).
  • handler.options <object> - The options for this policy. See Policy Options below.

#Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

  • apiUrl (required) <string> - The URL of the OpenFGA service.
  • storeId (required) <string> - The ID of the store.
  • authorizationModelId (required) <string> - The ID of the authorization model.
  • allowUnauthorizedRequests <boolean> - Indicates whether the request should continue if authorization fails. Default is false which means unauthorized users will automatically receive a 403 response. Defaults to false.
  • credentials (required) <undefined> - No description available.

#Using the Policy

Read more about how policies work

← Previous page
Okta FGA Authorization Policy
Next page →
Axiomatics Authorization Policy