Skip to main content

Modeling Basics

note
Auth0 Fine Grained Authorization (FGA) is the early-stage product we are building at Auth0 to solve fine-grained authorization at scale. Sign up for the Developer Community Preview to try it out, and join our Discord community if you are interested in learning more about our plans.

Please note that at this point in time, it is not considered production-ready and does not come with any SLAs; availability and uptime are not guaranteed. Limitations of Auth0 FGA during the Developer Community Preview can be found here.

In this guide you will learn how to grant a user access to an object (such as a certain document) in Auth0 FGA.

When to use

Granting access with relationship tuple is a core part of Auth0 FGA. Without them, any checks will fail. You should use:

  • authorization model to represent what relations are possible between the users and objects in the system
  • relationship tuples to represent the facts about the relationships between users and objects in your system.

Before you start

In order to understand this guide correctly you must be familiar with some Auth0 FGA Concepts and know how to develop the things that we will list below.

Assume that you have the following authorization model.
You have a type called document that can have a viewer and/or an editor.

type document
  relations
    define viewer as self
    define editor as self

In addition, you will need to know the following:

Auth0 FGA Concepts

  • A Type: a class of objects that have similar characteristics
  • A User: an entity in the system that can be related to an object
  • A Relation: is a string defined in the type definition of an authorization model that defines the possibility of a relationship between objects of this type and other users in the system
  • An Object: represents an entity in the system. Users' relationships to it can be define through relationship tuples and the authorization model
  • A Relationship Tuple: a grouping consisting of a user, a relation and an object stored in Auth0 FGA

The Playground

Try this guide out on the Auth0 FGA Playground

Step by Step

For our applications to understand that user x has access to document y, we need to provide Auth0 Fine Grained Authorization (FGA) that information through relationship tuples. Each relationship tuple has three basic parameters, a user, a relation and an object.

01. Create a relationship tuple

Let us add a relationship tuple to indicate that bob who is an editor of document:meeting_notes.doc. This is represented by adding the following:

Initialize the SDK
// FGA_ENVIRONMENT can be "us" (default if not set) for Developer Community Preview or "playground" for the Playground API
// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');

// Initialize the SDK
const fgaClient = new Auth0FgaApi({
  environment: process.env.FGA_ENVIRONMENT,
  storeId: process.env.FGA_STORE_ID,
  clientId: process.env.FGA_CLIENT_ID,
  clientSecret: process.env.FGA_CLIENT_SECRET,
});

await fgaClient.write({
  writes: {
    tuple_keys: [
      { user: 'bob', relation: 'editor', object: 'document:meeting_notes.doc'}
    ]
  }
});

02. Check that the relationship exists

Once that relationship tuple is added to Auth0 FGA, we can check if the relationship is valid by asking the following: "is bob an editor of document:meeting_notes.doc?"

Initialize the SDK
// FGA_ENVIRONMENT can be "us" (default if not set) for Developer Community Preview or "playground" for the Playground API
// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');

// Initialize the SDK
const fgaClient = new Auth0FgaApi({
  environment: process.env.FGA_ENVIRONMENT,
  storeId: process.env.FGA_STORE_ID,
  clientId: process.env.FGA_CLIENT_ID,
  clientSecret: process.env.FGA_CLIENT_SECRET,
});

// Run a check
const { allowed } = await fgaClient.check({
  tuple_key: {
    user: 'bob',
    relation: 'editor',
    object: 'document:meeting_notes.doc',
  },});

// allowed = true

If we were to check the following: "is bob a viewer of document:meeting_notes.doc?" it would return false since that relationship tuple does not exist within Auth0 FGA yet.

Initialize the SDK
// FGA_ENVIRONMENT can be "us" (default if not set) for Developer Community Preview or "playground" for the Playground API
// import the SDK
const { Auth0FgaApi } = require('@auth0/fga');

// Initialize the SDK
const fgaClient = new Auth0FgaApi({
  environment: process.env.FGA_ENVIRONMENT,
  storeId: process.env.FGA_STORE_ID,
  clientId: process.env.FGA_CLIENT_ID,
  clientSecret: process.env.FGA_CLIENT_SECRET,
});

// Run a check
const { allowed } = await fgaClient.check({
  tuple_key: {
    user: 'bob',
    relation: 'viewer',
    object: 'document:meeting_notes.doc',
  },});

// allowed = false
caution

Note: When creating relationship tuples for Auth0 Fine Grained Authorization (FGA) make sure to use unique ids for each object and user within your application domain. We're using first names and simple ids to just illustrate an easy-to-follow example.

Check the following sections for more on how to model with Auth0 FGA.
Auth0 FGA Concepts

Learn about the Auth0 FGA Concepts.

Modeling: Getting Started

Learn about how to get started with modeling.

Configuration Language

Learn about Auth0 FGA Configuration Language.

Have Feedback?

Join us on the Discord community if you have any questions or suggestions.