Auth0.Fga
0.3.1
Prefix Reserved
Ever since OpenFGA was open sourced, our development efforts shifted to focus OpenFga.Sdk (OpenFga.Sdk). With time, we have decided to deprecate this package and ask users of this package to use the OpenFga.Sdk directly.
The OpenFGA Client comes with additional benefits, like the `BatchCheck`, `ListRelations` and non-transactional `Write` methods.
Transitioning should be fairly straight-forward with only a few changes needed.
To configure the OpenFGA SDK to talk to the Auth0/Okta FGA `us1` production API, use the following settings:
- API URL: https://api.us1.fga.dev/
- Credential Method: ClientCredentials
- API Token Issuer: fga.us.auth0.com
- API Audience: https://api.us1.fga.dev/
Learn more here: https://docs.fga.dev/integration/setup-sdk-client
Read the OpenFGA .NET SDK docs here: https://github.com/openfga/dotnet-sdk
See the version list below for details.
dotnet add package Auth0.Fga --version 0.3.1
NuGet\Install-Package Auth0.Fga -Version 0.3.1
<PackageReference Include="Auth0.Fga" Version="0.3.1" />
paket add Auth0.Fga --version 0.3.1
#r "nuget: Auth0.Fga, 0.3.1"
// Install Auth0.Fga as a Cake Addin #addin nuget:?package=Auth0.Fga&version=0.3.1 // Install Auth0.Fga as a Cake Tool #tool nuget:?package=Auth0.Fga&version=0.3.1
.NET SDK for Auth0 Fine Grained Authorization (FGA)
This is an autogenerated SDK for Auth0 Fine Grained Authorization (FGA). It provides a wrapper around the Auth0 Fine Grained Authorization API.
Warning: This SDK comes with no SLAs and is not production-ready!
Table of Contents
- About Auth0 Fine Grained Authorization (FGA)
- Resources
- Installation
- Getting Started
- Contributing
- Issues
- Pull Requests [Note: We are not accepting Pull Requests at this time!]
- License
<a id="about"></a>About Auth0 Fine Grained Authorization (FGA)
Auth0 Fine Grained Authorization (FGA) is an open source Fine-Grained Authorization solution inspired by Google's Zanzibar paper. It was created by the FGA team at Auth0 based on Auth0 Fine-Grained Authorization (FGA), available under a permissive license (Apache-2) and welcomes community contributions.
Auth0 Fine Grained Authorization (FGA) is designed to make it easy for application builders to model their permission layer, and to add and integrate fine-grained authorization into their applications. Auth0 Fine Grained Authorization (FGA)’s design is optimized for reliability and low latency at a high scale.
It allows in-memory data storage for quick development, as well as pluggable database modules - with initial support for PostgreSQL.
It offers an HTTP API and has SDKs for programming languages including Node.js/JavaScript, GoLang and .NET.
More SDKs and integrations such as Rego are planned for the future.
Resources
- Auth0 Fine Grained Authorization (FGA) Documentation
- Auth0 Fine Grained Authorization (FGA) API Documentation
- Auth0 Fine Grained Authorization (FGA) Discord Community
- Zanzibar Academy
- Google's Zanzibar Paper (2019)
Installation
The Auth0 Fine Grained Authorization (FGA) .NET SDK is available on NuGet.
You can install it using:
- The dotnet CLI
dotnet add package Auth0.Fga
- The Package Manager Console inside Visual Studio:
Install-Package Auth0.Fga
Search for and install Auth0.Fga
in each of their respective package manager UIs.
Getting Started
Initializing the API Client
using Auth0.Fga.Api;
using Auth0.Fga.Client;
using Auth0.Fga.Configuration;
using Auth0.Fga.Model;
namespace Example {
public class Example {
public static void Main() {
try {
// See https://github.com/auth0-lab/fga-dotnet-sdk#getting-your-store-id-client-id-and-client-secret
var environment = Environment.GetEnvironmentVariable(("AUTH0_FGA_ENVIRONMENT"), // can be = "us"/"staging"/"playground"
var configuration = new Configuration(environment) {
StoreId = Environment.GetEnvironmentVariable(("AUTH0_FGA_STORE_ID"),
ClientId = Environment.GetEnvironmentVariable(("AUTH0_FGA_CLIENT_ID"), // Required for all environments except playground
ClientSecret = Environment.GetEnvironmentVariable(("AUTH0_FGA_CLIENT_SECRET"), // Required for all environments except playground
};
var auth0FgaApi = new Auth0FgaApi(configuration);
var response = auth0FgaApi.ReadAuthorizationModels();
Debug.WriteLine(response.AuthorizationModelIds);
} catch (ApiException e) {
Debug.Print("Status Code: "+ e.ErrorCode);
}
}
}
}
Getting your Store ID, Client ID and Client Secret
Production
Make sure you have created your credentials on the Auth0 FGA Dashboard. Learn how ➡
You will need to set the AUTH0_FGA_ENVIRONMENT
variable to "us"
. Provide the store id, client id and client secret you have created on the Dashboard.
Playground
If you are testing this on the public playground, you need to set your AUTH0_FGA_ENVIRONMENT
to "playground"
.
To get your store id, you may copy it from the store you have created on the Playground. Learn how ➡
In the playground environment, you do not need to provide a client id and client secret.
Calling the API
Write Authorization Model
Note: To learn how to build your authorization model, check the Docs at https://docs.fga.dev.
Learn more about the Auth0 Fine Grained Authorization (FGA) configuration language.
var relations = new Dictionary<string, Userset>()
{
{"writer", new Userset(_this: new object())},
{
"reader",
new Userset(union: new Usersets(new List<Userset>()
{new(new object(), new ObjectRelation("", "writer"))}))
}
};
var body = new TypeDefinitions(new List<TypeDefinition>() {new("repo", relations)});
var response = await auth0FgaApi.WriteAuthorizationModel(body);
// response.AuthorizationModelId = 1uHxCSuTP0VKPYSnkq1pbb1jeZw
Read a Single Authorization Model
string authorizationModelId = "1uHxCSuTP0VKPYSnkq1pbb1jeZw"; // Assuming `1uHxCSuTP0VKPYSnkq1pbb1jeZw` is an id of an existing model
var response = await auth0FgaApi.ReadAuthorizationModel(authorizationModelId);
// response.AuthorizationModel.Id = "1uHxCSuTP0VKPYSnkq1pbb1jeZw"
// response.AuthorizationModel.TypeDefinitions = [{ "type": "repo", "relations": { ... } }]
Read Authorization Model IDs
var response = await auth0FgaApi.ReadAuthorizationModels();
// response.AuthorizationModelIds = ["1uHxCSuTP0VKPYSnkq1pbb1jeZw", "GtQpMohWezFmIbyXxVEocOCxxgq"];
Check
var body =
new CheckRequest(tupleKey: new TupleKey("document:project-roadmap", "editor", "anne"));
var response = await auth0FgaApi.Check(body);
// response.Allowed = true
Write Tuples
var body = new WriteRequest(new TupleKeys(new List<TupleKey>
{new("document:project-roadmap", "editor", "anne")}));
var response = await auth0FgaApi.Write(body);
Delete Tuples
var body = new WriteRequest(new TupleKeys(new List<TupleKey> { }),
new TupleKeys(new List<TupleKey> {new("document:project-roadmap", "editor", "anne")}));
var response = await auth0FgaApi.Write(body);
Expand
var body = new ExpandRequest(new TupleKey("document:project-roadmap", "editor"));
var response = await auth0FgaApi.Expand(body);
// response.Tree.Root = {"name":"workspace:675bcac4-ad38-4fb1-a19a-94a5648c91d6#admin","leaf":{"users":{"users":["anne","beth"]}}}
Read
// Find if a relationship tuple stating that a certain user is an admin on a certain workspace
var body = new ReadRequest(new TupleKey(
_object: "workspace:675bcac4-ad38-4fb1-a19a-94a5648c91d6",
relation: "admin",
user: "81684243-9356-4421-8fbf-a4f8d36aa31b"));
// Find all relationship tuples where a certain user has a relationship as any relation to a certain workspace
var body = new ReadRequest(new TupleKey(
_object: "workspace:675bcac4-ad38-4fb1-a19a-94a5648c91d6",
user: "81684243-9356-4421-8fbf-a4f8d36aa31b"));
// Find all relationship tuples where a certain user is an admin on any workspace
var body = new ReadRequest(new TupleKey(
_object: "workspace:",
relation: "admin",
user: "81684243-9356-4421-8fbf-a4f8d36aa31b"));
// Find all relationship tuples where any user has a relationship as any relation with a particular workspace
var body = new ReadRequest(new TupleKey(
_object: "workspace:675bcac4-ad38-4fb1-a19a-94a5648c91d6"));
var body = new ReadRequest(new TupleKey("document:project-roadmap", "editor", "anne"));
var response = await auth0FgaApi.Read(body);
// In all the above situations, the response will be of the form:
// response = {"tuples":[{"key":{"user":"...","relation":"...","object":"..."},"timestamp":"..."}]}
Read Changes (Watch)
var type = 'workspace';
var pageSize = 25;
var continuationToken = 'eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==';
var response = await auth0FgaApi.ReadChanges(type, pageSize, continuationToken);
// response.continuation_token = ...
// response.changes = [
// { tuple_key: { user, relation, object }, operation: "write", timestamp: ... },
// { tuple_key: { user, relation, object }, operation: "delete", timestamp: ... }
// ]
API Endpoints
Method | HTTP request | Description |
---|---|---|
Check | POST /stores/{store_id}/check | Check whether a user is authorized to access an object |
Expand | POST /stores/{store_id}/expand | Expand all relationships in userset tree format, and following userset rewrite rules. Useful to reason about and debug a certain relationship |
Read | POST /stores/{store_id}/read | Get tuples from the store that matches a query, without following userset rewrite rules |
ReadAssertions | GET /stores/{store_id}/assertions/{authorization_model_id} | Read assertions for an authorization model ID |
ReadAuthorizationModel | GET /stores/{store_id}/authorization-models/{id} | Return a particular version of an authorization model |
ReadAuthorizationModels | GET /stores/{store_id}/authorization-models | Return all the authorization model IDs for a particular store |
ReadChanges | GET /stores/{store_id}/changes | Return a list of all the tuple changes |
Write | POST /stores/{store_id}/write | Add or delete tuples from the store |
WriteAssertions | PUT /stores/{store_id}/assertions/{authorization_model_id} | Upsert assertions for an authorization model ID |
WriteAuthorizationModel | POST /stores/{store_id}/authorization-models | Create a new authorization model |
Models
- Model.Any
- Model.Assertion
- Model.AuthErrorCode
- Model.AuthenticationErrorMessageResponse
- Model.AuthorizationModel
- Model.CheckRequest
- Model.CheckResponse
- Model.Computed
- Model.ContextualTupleKeys
- Model.CreateStoreResponse
- Model.Difference
- Model.ErrorCode
- Model.ExpandRequest
- Model.ExpandResponse
- Model.GetStoreResponse
- Model.InternalErrorCode
- Model.InternalErrorMessageResponse
- Model.Leaf
- Model.ListStoresResponse
- Model.Node
- Model.Nodes
- Model.NotFoundErrorCode
- Model.ObjectRelation
- Model.PathUnknownErrorMessageResponse
- Model.ReadAssertionsResponse
- Model.ReadAuthorizationModelResponse
- Model.ReadAuthorizationModelsResponse
- Model.ReadChangesResponse
- Model.ReadRequest
- Model.ReadResponse
- Model.ResourceExhaustedErrorCode
- Model.ResourceExhaustedErrorMessageResponse
- Model.Status
- Model.Store
- Model.Tuple
- Model.TupleChange
- Model.TupleKey
- Model.TupleKeys
- Model.TupleOperation
- Model.TupleToUserset
- Model.TypeDefinition
- Model.TypeDefinitions
- Model.Users
- Model.Userset
- Model.UsersetTree
- Model.UsersetTreeDifference
- Model.UsersetTreeTupleToUserset
- Model.Usersets
- Model.ValidationErrorMessageResponse
- Model.WriteAssertionsRequest
- Model.WriteAuthorizationModelResponse
- Model.WriteRequest
Contributing
Issues
If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker.
Pull Requests
Pull Requests are not currently open, please raise an issue or contact a team member on https://discord.gg/8naAwJfWN6 if there is a feature you'd like us to implement.
Author
License
This project is licensed under the MIT license. See the LICENSE file for more info.
The code in this repo was auto generated by OpenAPI Generator from a template based on the csharp-netcore template, licensed under the Apache License 2.0.
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET | net6.0 is compatible. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 was computed. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. |
-
net6.0
- No dependencies.
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.