access provider

Define an AccessProvider schema.

Syntax

access provider <apName> {
  issuer "<issuer URL>"
  jwks_uri "<jwks URI>"
  [ role <role name> [{ predicate <predicate function> }] …​ ]
  [ ttl "<time to live>" ]
}

Name

apName String Required

Unique name for the external identity provider (IdP). Can’t be events, sets, self, documents, or underscore (_) character and can’t include the percent (%) character.

Properties

Parameter Type Required Description

issuer

String

Yes

The issuer URL. This tells Fauna which IdP is permitted to send a JWT to authorize a query to be executed.

jwks_uri

String

Yes

URI a client can access to get information on all the JWK keys to verify or decrypt a JWT and confirm its validity. The standard convention is that this URL is the issuer URL with the .well-known/jwks.json string appended.

role

String

Role references, defined as <role name> or <role name> { predicate <predicate function> }. These roles are evaluated to determine access for the JWT.

If a <predicate function> is provided, the role is only evaluated if the function returns true. The <predicate function> must be in long-form syntax as described in Anonymous functions.

ttl

Time

Timestamp indicating when to remove the document. When the document is removed it ceases to exist and temporal queries can’t recover the document.
Default = null, which persists the document indefinitely.

Examples

access provider ExampleAP {
  issuer "https://some-issuer.com"
  jwks_uri "https://some-issuer.com/.well-known/jwks.json"

  role myRole
  role yourRole {
    // the predicate is passed the JWT fields
    predicate (jwt => jwt.admin == true)
  }

See also

role

Is this article helpful? 

Tell Fauna how the article can be improved:
 Visit Fauna's forums or email docs@fauna.com

Thank you for your feedback!