OpenFGA Authorization
Use OpenFGA from a custom policy to authorize access to a resource.
OpenFGA Authorization#
This sample demonstrates how to use OpenFGA from a custom Zuplo policy to authorize access to a resource.
Prerequisites#
In order to use this sample, you will need to configuration an authorization policy. This sample is setup with the Zuplo Auth0 authentication policy, but you can use any authentication or custom authentication policy. You will need to configure the policy with your own identity provider.
You will also need an OpenFGA service. You can run OpenFGA locally as shown in the documentation. When running locally, in order to use this sample, you'll want to use Zuplo Local Development.
OpenFGA Policy#
The custom policy is configured to read configuration from the x-authorization
extension in the OpenAPI definition. The configuration of that property is a JSON object with the following properties:
relation
: The relation of the user to the resource. This is the value of therelation
property in the OpenFGA policy.objectType
: The type of the resource. This is used to build theobject
property in the OpenFGA policy. For example, if this property is set asdocument
, then theobject
property in the OpenFGA policy will bedocument:{id}
where the value of{id}
comes from the URL .objectParam
: The name of the parameter in the request that contains the resource identifier. For example, if your url is/docs/{id}
, then the value of this property should beid
.
"x-authorization": {
"relation": "reader",
"objectType": "document",
"objectParam": "id"
},
The policy will then use the relation
, object
and objectType
properties to build the OpenFGA policy and authorize the request. For example, if user auth0|123
calls the url /docs/456
the policy will check the following tuple results in a valid access check:
{
"user": "user:auth0|123",
"relation": "reader",
"object": "document:456"
}
If the user is authorized as a reader on that document, the request will be allowed. Otherwise, it will be denied.
Discover More Examples
API Linting
See how to use API linting to enforce api consistency and require Zuplo features like policies.
Backend for Frontend (BFF) Auth
Optimize UX and security in web applications with this approach.
Custom Rate Limiting
Invoke the Rate Limit policy programatically and then modify the 429 response.
Custom Modules
How to bundle custom node modules to use in your Zuplo project.