AccessProvider

Learn: Access providers

We recommend you use FSL to create and update access providers. See FSL access provider schema.

An access provider registers an external identity provider (IdP), such as Auth0, in your Fauna database.

Once set up, the IdP can issue JSON Web Tokens (JWTs) that act as Fauna authentication secrets. This lets your application’s end users use the IdP for authentication.

AccessProvider collection

Fauna stores access providers as documents in the AccessProvider system collection. These documents are an FQL version of the FSL access provider schema.

AccessProvider documents have the following FQL structure:

{
  name: "someIssuer",
  coll: AccessProvider,
  ts: Time("2099-09-06T21:46:50.272Z"),
  roles: [
    "customer",
    {
      role: "manager",
      predicate: "(jwt) => jwt!.scope.includes(\"manager\")"
    }
  ],
  jwks_uri: "https://example.com/.well-known/jwks.json",
  audience: "https://db.fauna.com/db/ysij4khxoynr4",
  data: {
    desc: "Access provider for issuer"
  },
  issuer: "https://example.com/"
}
Field Type Read-only Required Description

name

true

Unique name for the access provider in the database.

Must begin with a letter. Can only include letters, numbers, and underscores.

coll

true

The document’s collection. For access providers, this value is AccessProvider.

ts

true

Document last changed timestamp. Updated only on document write.

issuer

true

Issuer for the IdP’s JWTs. Must match the iss claim in JWTs issued by the IdP.

jwks_uri

true

URI that points to public JSON web key sets (JWKS) for JWTs issued by the IdP. Fauna uses the keys to verify each JWT’s signature.

roles

User-defined roles assigned to JWTs issued by the IdP. Can’t be built-in roles.

A roles string is the name of a user-defined role. roles objects have the following schema:

Field Type Description

role

Name of a user-defined role.

predicate

FQL predicate function. If present, JWTs are only assigned the role if the predicate evaluates to true.

The predicate function is passed one argument: an object containing the JWT’s payload. The predicate function does not support shorthand syntax.

audience

true

Globally unique URL for the Fauna database. audience URLs have the following structure:

https://db.fauna.com/db/<DATABASE_ID> where <DATABASE_ID> is the globally unique ID for the database.

Must match the aud claim in JWTs issued by the IdP.

data

Arbitrary user-defined metadata for the provider.

Static methods

You can use the following static methods to manage the AccessProvider collection in FQL.

Method Description

Get a Set of all access providers.

Get an access provider by its name.

Create an access provider.

Get the first access provider matching a provided predicate.

Get "AccessProvider" as a String.

Get a Set of access providers that match a provided predicate.

Instance methods

You can use the following instance methods to manage specific AccessProvider documents in FQL.

Method Description

Delete an access provider.

Test if an access provider exists.

Replace an access provider.

Update an access provider.

Is this article helpful? 

Tell Fauna how the article can be improved:
Visit Fauna's forums or email docs@fauna.com

Thank you for your feedback!