How-To Guides
Integrate
Enforce

Enforce Authorization in your Application

After making authorization decisions for requests, your application must enforce the decision. What enforcement looks like is context dependent, but includes actions like returning errors or filtering data visible to the requestor.

Below, you will find detailed enforcement code samples in languages we support; they'll include uses of the Oso Cloud API to make authorization decisions for requests followed by enforcement strategies. However, which Oso Cloud API you use depends on where your authorization data is stored.

All data stored in Oso Cloud

If all relevant authorization data is stored in Oso Cloud, use the authorize command in your client.

For example, suppose we have a controller method to read a repository. We'll typically build the user object from authentication information, and extract the repository ID from the request path parameters.

And finally, we can check the user is authorized to perform the read action on the repository.


// get global oso instance
import { oso } from "../app";
router.get("/repos/:repoId", async (req, res) => {
const user = { type: "User", id: req.user.id };
const repo = { type: "Repository", id: req.params.repoId };
if (!(await oso.authorize(user, "read", repo))) {
return res.status(403).send("Unauthorized");
}
// fetch repository from database, etc.
});

Some data stored locally

If your application database retains relevant authorization data, use the authorize_local command in your client, which is also known as the distributed check API.

When you initialize the Oso Cloud client, provide the YAML configuration:


oso = OsoCloud::new(
...
data_bindings: "path/to/data_bindings.yaml"
)

Returning to the repository example, first use authorize_localto tell Oso Cloud to partially evaluate whether the user is authorized to perform the read action on the repository.

Then, use the resulting query to finish the evaluation using local data.


# get global oso instance
require 'app/oso'
get '/repos/:repoId' do
user = { "type" => "User", "id" => request.user.id }
repo = { "type" => "Repository", "id" => params[:repoId] }
query = Oso.authorize_local(user, "read", repo)
if !Issue.connection.select_value(query)
raise Sinatra::PermissionDenied
end
# fetch repository from database, etc.
end

Talk to an Oso Engineer

If you'd like to learm more about how to use local data in enforcement or have any questions about this guide, schedule a 1x1 with an Oso engineer. We're happy to help.

Get started with Oso Cloud →

List Filtering