Skip to main content

Introduction to the Auth0 Fine Grained Authorization (FGA) Playground

note
Auth0 Fine Grained Authorization (FGA) is the early-stage product we are building at Auth0 to solve fine-grained authorization at scale. Sign up for the Developer Community Preview to try it out, and join our Discord community if you are interested in learning more about our plans.

Please note that at this point in time, it is not considered production-ready and does not come with any SLAs; availability and uptime are not guaranteed. Limitations of Auth0 FGA during the Developer Community Preview can be found here.

What is Auth0 FGA Playground?

The Auth0 FGA Playground is a learning tool meant to help you learn and play with Auth0 Fine Grained Authorization (FGA). It allows you to easily create, visualize, share and test your authorization models.

Warning

Currently on the Playground, store security is through obscurity; to access a store you need to know its UUID, but there are no other checks. Please use identifiers and do not store any PII or data that cannot be public.

The Auth0 FGA Playground

Get started with Auth0 Fine Grained Authorization on the Auth0 FGA Playground

Tour of Auth0 FGA Playground

If this is the first time you visit the Auth0 FGA Playground, it will ask you to go through a tour to explain how you can use it. We suggest taking a moment to complete the tour there before coming back to this post.

  1. In your browser, open https://play.fga.dev in a new tab.

  2. You should see this page if this is the first time you click on that link: Image showing the Auth0 FGA Playground asking to complete the intro

    The Auth0 FGA Playground asking to complete the tutorial. Press NEXT to see the intro or SKIP to skip it

  3. If you skip or complete the intro, you will be asked if you would like to go through the tour: Image showing the Auth0 FGA Playground asking to complete the tour

    The Auth0 FGA Playground asking to complete the tour. Press TAKE A TOUR to start the tour or GET STARTED to skip directly to the playground

  4. You should see this page if you have completed the tour Image showing the Auth0 FGA Playground

    The Auth0 FGA Playground once the tour is completed

Default Stores vs. User Stores

The Auth0 FGA Playground has both default stores and user stores.

Default stores have authorization models, relationship tuples and assertions that are pre-populated by Auth0 and are not modifiable. They are samples to allow you to better understand advanced use cases.

User stores are user defined configurations. The authorization models, relationship tuples and assertions may be modified and saved.

Creating a new store

  1. Click the NEW STORE button on the top right hand corner of the screen. Image showing the Auth0 FGA Playground New Store button

  2. Type in store name in the text box. Note that the store name may only contain letters, numbers and '-'. Image showing the Auth0 FGA Playground new store prompt

  3. Click CREATE button. Image showing the Auth0 FGA Playground new store create button

Saving your model

  1. On your User Stores, you may make changes to the authorization model in the types panel located on the upper left part of the screen. Note that only the DSL syntax is supported. Image showing the Auth0 FGA Playground types panel

  2. After the changes are made, click SAVE. Image showing the Auth0 FGA Playground types save button

  3. After the authorization model is saved, the Types Previewer will be updated with the new authorization model preview. Image showing the Auth0 FGA Playground type preview

  4. After the authorization model is saved, the SAVE button is no longer active. Image showing the Auth0 FGA Playground type save button after save

    info
    • Playground will only save if there are no syntax errors.
    info

    Syntax errors will be highlighted in red. Hovering the mouse over the error will provide additional details. Image showing the Auth0 FGA Playground with invalid syntax

Adding relationship tuples

  1. On your User Stores, you may add relationship tuples in the relationship tuples panel located on the lower left part of the screen. Image showing the Auth0 FGA Playground relationship tuples panel

  2. Click ADD TUPLE to add new relationship tuples. Image showing the Auth0 FGA Playground add tuples button

  3. This will bring up the text boxes for User, Relation and Object. Type in the values desired. Image showing the Auth0 FGA Playground add tuples screen

  4. Click SAVE button. Image showing the Auth0 FGA Playground add tuples save button

  5. The added relationship tuples will be shown in the relationship tuples panel. Image showing the Auth0 FGA Playground relationship tuples added

  6. Relationship tuples may be removed by clicking the garbage bin button. Image showing the Auth0 FGA Playground relationship tuples removal button

    info

    Relationship tuples may not be added if the corresponding authentication model has not yet been saved/updated. This can be verified by having an active SAVE button in the types panel.

Adding assertions

  1. On your User Stores, you may run assertions to test authorization models and relationship tuples. To add new assertions, click Assertions tab in the relationship tuples panel located on the lower left part of the screen. Image showing the Auth0 FGA Playground assertions tab

  2. After Assertions tab is selected, click ADD ASSERTION to add new assertions. Image showing the Auth0 FGA Playground add assertion button

  3. This will bring up the text for User, Relation and Object. Type in the values desired. The Allowed selection is TRUE if you want to assert the relationship exists. Otherwise, Allowed selection is FALSE if you want to assert the relationship does not exist. Image showing the Auth0 FGA Playground assertion true relationship

  4. Click SAVE button to add the assertion. Image showing the Auth0 FGA Playground assertion being saved

  5. Assert for non-existing relationship by selected Allowed to be FALSE. Image showing the Auth0 FGA Playground assertion false relationship

  6. To run all tests, click the Run all tests button. Image showing the Auth0 FGA Playground assertion run all tests button

  7. The assertion test results are indicated in the assertion panels. The blue experiment box shows the number of tests. The green check box indicates the number of passing assertions. The red slash box indicates the number of failed assertions. Image showing the Auth0 FGA Playground assertion results

Running queries

  1. You may also run relationship tuple queries to view how the relationship is established between a user and an object. To do this, click the TUPLE QUERIES tab in the previewer panel at the lower right half of the screen. Image showing the Auth0 FGA Playground queries tab

  2. After TUPLE QUERIES tab is clicked, you will be shown the TUPLE QUERIES panel where you can type the query at the text box. Image showing the Auth0 FGA Playground query text box

There are two types of queries that can be asked:

The first type of query is of the form: "Is x related to y as z?". This form of query will provide visualization on why the relationship exists between user and object.

  1. In the query box, type "Is adam related to resource:page1 as reader?" and type Enter. Image showing the Auth0 FGA Playground is related query

  2. A successful query will show visualization on how the relationship is established in the TUPLE QUERIES panel. Image showing the Auth0 FGA Playground successful how query

  3. An unsuccessful query will be denoted with a red box in the TUPLE QUERIES panel. Image showing the Auth0 FGA Playground unsuccessful query

The second type of query is of the form: "Who is related to y as z?". This form of query will provide visualization on who has a particular relationship with an object.

  1. In the query box, type "who is to related to resource:page1 as reader?" and type Enter. Image showing the Auth0 FGA Playground who is related query

  2. A successful query will show visualization on all the users that have the relationship in the TUPLE QUERIES panel. As it can be seen, only adam has reader relationship with resource:page1. Image showing the Auth0 FGA Playground successful who query

Getting store ID

The store ID is a value that uniquely identify the store. To obtain the store ID:

  1. Click on the three dots button on the top-right of the screen. Image showing button to press

  2. Select Copy Store ID on the top-right of the screen. Image showing pasted text

  3. The store ID is in the clipboard.

Sharing the store

You can also share the store to others by sending them the playground's store URL. To share the store:

  1. Click on the three dots button on the top-right of the screen. Image showing button to press

  2. Select Share on the top-right of the screen. Image showing button to share

  3. The playground's store URL is in the clipboard.

  4. To load the playground's shared store, paste the URL in the address bar and press enter. You will be asked to Create store. Enter a name that you wish to uniquely identify this store. Image showing store URL being entered

Entitlements

Modeling Entitlements for a System in Auth0 FGA.

IoT

Modeling Fine Grained Authorization for an IoT Security Camera System with Auth0 FGA.

Slack

Modeling Authorization for Slack with Auth0 FGA.

Have Feedback?

Join us on the Discord community if you have any questions or suggestions.