feat: add fine-grained authorization (FGA) support#16
Open
lakhansamani wants to merge 3 commits into
Open
Conversation
Add client-facing FGA capabilities mirroring the server's authorization API: - RequiredPermissions ([]*PermissionInput, AND semantics) on SessionQueryRequest, ValidateJWTTokenRequest and ValidateSessionRequest - GetPermissions(headers) wrapping the permissions query, returning the authenticated principal's granted resource:scope permissions - Permission / PermissionInput types and PermissionFragment - Integration tests for GetPermissions and required-permissions validation - README usage section
lakhansamani
force-pushed
the
feat/fga-support
branch
from
2619aed to
a752d88
Compare
Expose the three public (non-admin) FGA GraphQL operations of the
Authorizer server, backed by its embedded OpenFGA engine:
- FgaCheck -> fga_check(params: FgaCheckInput) { allowed }
- FgaBatchCheck -> fga_batch_check(params: FgaBatchCheckInput) { results { allowed } }
- FgaListObjects-> fga_list_objects(params: FgaListObjectsInput) { objects }
The subject defaults to the authenticated caller and is pinned
server-side from the request headers; the optional User override is
honored only for super-admin callers. Contextual tuples are supported
on single and batch checks. Model/tuple authoring stays in the
dashboard / _fga_* admin API by design and is not part of the SDK.
This supersedes the earlier (unreleased, branch-only) resource:scope
permissions surface: GetPermissions, Permission/PermissionInput and the
RequiredPermissions fields on validate/session requests are removed,
since the server replaced resource:scope permissions with FGA relations
(required_relations).
Tests: rewrite the FGA integration tests against the new API, skip
cleanly when the target server has FGA disabled or no model installed,
and send an Origin header from the test client (the server's CSRF
middleware rejects GraphQL POSTs without Origin/Referer).
Verified against a live server (sqlite, embedded OpenFGA) end to end:
allowed/denied single checks, positional batch results, list_objects
filtering and contextual-tuple evaluation.
Match the server's renamed public FGA GraphQL surface (never released,
so a clean rename): fga_check / fga_batch_check / fga_list_objects are
replaced by check_permissions and list_permissions.
- CheckPermissions evaluates one or more checks per call; each result
echoes its relation/object pair and is positionally aligned.
- ListPermissions returns the object ids the subject holds a relation on.
- Subject defaults to the caller's token; the optional User override
("type:id", bare id -> "user:<id>") is honored only for super-admins
or when it equals the caller's own token subject.
- Rewrite integration tests and README examples to the new methods.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds client-facing Fine-Grained Authorization (FGA) support to the Go SDK, mirroring the authorization API shipped on the Authorizer server. FGA was planned but not yet present in the SDK.
The server's FGA model is Keycloak-style (resources / scopes / policies / permissions). This PR wraps the two surfaces relevant to a client SDK; admin
_authz_*CRUD is intentionally excluded to keep the SDK's client-only scope (it exposes no admin operations).Changes
RequiredPermissions([]*PermissionInput, AND semantics) added toSessionQueryRequest,ValidateJWTTokenRequest, andValidateSessionRequest. If any required permission is denied, the result is unauthorized.GetPermissions(headers)— new method wrapping thepermissionsquery; returns the authenticated principal's grantedresource:scopepermissions.Permission/PermissionInputtypes andPermissionFragmentadded tocommon.go.TestGetPermissionsandTestValidateJWTTokenWithRequiredPermissions(skip-tolerant, matching existing test style).Verification
go build ./...✅go vet ./...(incl. tests) ✅