Enforce Authorization in your Application
After making authorization decisions for requests, your application must enforce the decision. What enforcement looks like is context dependent, but includes actions like returning errors or filtering data visible to the requestor.
Below, you will find detailed enforcement code samples in languages we support; they'll include uses of the Oso Cloud API to make authorization decisions for requests followed by enforcement strategies. However, which Oso Cloud API you use depends on where your authorization data is stored.
Some data stored locally
If your application database retains relevant authorization
data, use the authorize_local
command in your client, which is also known as the distributed check API.
When you initialize the Oso Cloud client, provide the YAML configuration:
oso = OsoCloud::new( ... data_bindings: "path/to/data_bindings.yaml")
Returning to the repository example, first use authorize_local
to tell Oso Cloud to partially evaluate whether the user is authorized to perform the read
action on the repository.
Then, use the resulting query to finish the evaluation using local data.
# get global oso instancerequire 'app/oso'get '/repos/:repoId' do user = { "type" => "User", "id" => request.user.id } repo = { "type" => "Repository", "id" => params[:repoId] } query = Oso.authorize_local(user, "read", repo) if !Issue.connection.select_value(query) raise Sinatra::PermissionDenied end # fetch repository from database, etc.end
All data stored in Oso Cloud
If all relevant authorization data is stored in Oso
Cloud, use
the authorize
command in your client.
For example, suppose we have a controller method to read a repository. We'll typically build the user object from authentication information, and extract the repository ID from the request path parameters.
And finally, we can check the user is authorized to perform the read
action on the repository.
// get global oso instanceimport { oso } from "../app";router.get("/repos/:repoId", async (req, res) => { const user = { type: "User", id: req.user.id }; const repo = { type: "Repository", id: req.params.repoId }; if (!(await oso.authorize(user, "read", repo))) { return res.status(403).send("Unauthorized"); } // fetch repository from database, etc.});
Talk to an Oso Engineer
If you'd like to learm more about how to use local data in enforcement or have any questions about this guide, schedule a 1x1 with an Oso engineer. We're happy to help.