Service Access Strategy - OpenFGA
OpenFGA is a fast, flexible Fine-Grained Authorization system that has been designed for reliability and low latency at a high scale. It’s designed, built, and sponsored by Okta/Auth0.
This access strategy builds an authorization request and submits it to OpenFGA’s check API endpoint. The specifics
of the authorization request are taught to CAS using the settings typically defined within the access strategy itself:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
{
"@class" : "org.apereo.cas.services.CasRegisteredService",
"serviceId" : "^https://.+",
"name" : "test",
"id" : 1,
"accessStrategy" : {
"@class": "org.apereo.cas.services.OpenFGARegisteredServiceAccessStrategy",
"apiUrl": "http://localhost:8080",
"object": "my-document",
"relation": "owner",
"storeId": "Y75hgyt75mhp",
"token": "92d4a401-86b4-4636-b742-a7c8034756a0"
}
}
The following fields are available to this access strategy:
| Field | Purpose |
|---|---|
relation |
[1] The relation or the type of access in the authorization tuple; defaults to owner. |
object |
[1] The object of the authorization tuple; defaults to the service URL if undefined. |
storeId |
[1] The authorization store identifier. |
apiUrl |
[1] The OpenFGA endpoint URL. |
token |
[1] The bearer token to use in the Authorization header, if required. |
[1] This field supports the Spring Expression Language syntax.