authz

Small Go service. It speak AuthZEN. It ask OpenFGA: "Can user do thing?"

What this thing do

PDP: answer yes/no access.
PAP: read, grant, and revoke role tuples.
OpenFGA: hold the real auth model and tuples.

Need

Go
Docker
OpenFGA, easiest with Docker Compose

Start

Start OpenFGA:

docker compose up openfga

Make config.json in repo root. Git ignore this file, good place for local IDs:

{
  "api_url": "http://localhost:8080",
  "store_id": "<store-id>",
  "authorization_model_id": "<model-id>"
}

OpenFGA store must have model from openfga/samples/model.fga.

Run API:

make run

With make run:

public API at http://localhost:8081
private API at http://localhost:8090
OpenFGA at http://localhost:8080

Public interface

Public interface is for north-south callers behind the edge authentication layer.

Every public route requires authentication.
Default auth uses X-Auth-Request-Email from the trusted edge.
JWT auth can be selected with --public-auth-strategy jwt --jwt-secret <secret>.
PAP search/grant/revoke checks if the authenticated user can read or edit roles on resource.

Example:

curl -sS http://localhost:8081/.well-known/authzen-configuration \
  -H 'X-Auth-Request-Email: alice@example.com'

Private interface

Private interface trust caller. It exposes PDP and PAP with no extra guard.

Use it only for local dev, tests, and trusted inside network.

curl -sS http://localhost:8090/.well-known/authzen-pap-configuration

Main paths

PDP paths:

GET /.well-known/authzen-configuration
POST /v1/access/evaluation
POST /v1/access/evaluations
POST /v1/search/subject
POST /v1/search/resource
POST /v1/search/action

PAP paths:

GET /.well-known/authzen-pap-configuration
POST /v1/assignment/action
POST /v1/search/assignment
POST /v1/assignment/grant
POST /v1/assignment/revoke

Ask yes/no

curl -sS http://localhost:8081/v1/access/evaluation \
  -H 'X-Auth-Request-Email: alice@example.com' \
  -H 'Content-Type: application/json' \
  -d '{
    "subject": {"type": "user", "id": "alice"},
    "action": {"name": "can_delete"},
    "resource": {"type": "namespace", "id": "payments"}
  }'

Good answer shape:

{
  "decision": true
}

Bad access is still normal answer:

{
  "decision": false
}

Handy commands

make build
make test
make lint
make fmt
make vet
make tidy

Public authentication flags:

--public-auth-strategy trusted-header
--trusted-header-name X-Auth-Request-Email
--public-auth-strategy jwt --jwt-claim email --jwt-secret <secret>

REST Client examples live in http/*.http.

Watch feet

config.json has local store IDs. Do not commit it.
http/pap.http can change OpenFGA tuples.
Private port has sharp rocks. Do not expose to world.

Name		Name	Last commit message	Last commit date
Latest commit History 11 Commits
.agents/skills		.agents/skills
.github/workflows		.github/workflows
cmd/api		cmd/api
http		http
internal		internal
openfga/samples		openfga/samples
.dockerignore		.dockerignore
.gitignore		.gitignore
.golangci.yml		.golangci.yml
AGENTS.md		AGENTS.md
Dockerfile		Dockerfile
Makefile		Makefile
compose.yaml		compose.yaml
go.mod		go.mod
go.sum		go.sum
readme.md		readme.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

authz

What this thing do

Need

Start

Public interface

Private interface

Main paths

Ask yes/no

Handy commands

Watch feet

About

Uh oh!

Releases 3

Packages

Uh oh!

Uh oh!

Contributors

Uh oh!

Languages

Folders and files

Latest commit

History

Repository files navigation

authz

What this thing do

Need

Start

Public interface

Private interface

Main paths

Ask yes/no

Handy commands

Watch feet

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases 3

Packages 0

Uh oh!

Uh oh!

Contributors

Uh oh!

Languages

Packages