FSL access provider schema

This page covers the FSL syntax for access provider schemas. For an overview of access providers, see Access providers.

An FSL access provider schema defines an access provider. An access provider registers an external identity provider (IdP), such as Auth0, in your Fauna database.

access provider someIssuer {
  issuer "https://example.com/"
  jwks_uri "https://example.com/.well-known/jwks.json"

  role customer
}

Once set up, the IdP can issue JSON Web Tokens (JWTs) that act as Fauna authentication secrets. This lets your application’s end users use the IdP for authentication.

You can create and manage schema using any of the following:

Fauna stores each access provider schema as an FQL document in the AccessProvider system collection.

FSL syntax

access provider <accessProvider> {
  issuer "<issuer>"
  jwks_uri "<jwksUri>"
  [role <role> [{
    predicate <predicateFunction>
  }] . . .]
}

Name

access provider Required: Unique name for the access provider in the database.

Must begin with a letter. Can only include letters, numbers, and underscores.

Properties

Property Required Description

Property	Required	Description
issuer	Yes	Issuer for the IdP’s JWTs. Must match the `iss` claim in JWTs issued by the IdP. The issuer URL. This tells Fauna which IdP is permitted to send a JWT to authorize a query to be executed.
jwks_uri	Yes	URI that points to public JSON web key sets (JWKS) for JWTs issued by the IdP. Fauna uses the keys to verify each JWT’s signature.
role		User-defined role assigned to JWTs issued by the IdP. Can’t be a built-in role. An access provider can have multiple `role` properties. Each `role` property can include a predicate function. If present, JWTs are only assigned the role if the predicate evaluates to `true`. The predicate function is passed one argument: an object containing the JWT’s payload. The predicate function does not support shorthand syntax.

issuer

Yes

Issuer for the IdP’s JWTs. Must match the iss claim in JWTs issued by the IdP.

The issuer URL. This tells Fauna which IdP is permitted to send a JWT to authorize a query to be executed.

jwks_uri

Yes

URI that points to public JSON web key sets (JWKS) for JWTs issued by the IdP. Fauna uses the keys to verify each JWT’s signature.

role

User-defined role assigned to JWTs issued by the IdP. Can’t be a built-in role.

An access provider can have multiple role properties.

Each role property can include a predicate function. If present, JWTs are only assigned the role if the predicate evaluates to true.

The predicate function is passed one argument: an object containing the JWT’s payload. The predicate function does not support shorthand syntax.

Examples

access provider someIssuer {
  issuer "https://example.com/"
  jwks_uri "https://example.com/.well-known/jwks.json"

  role customer
  role manager {
    predicate (jwt => jwt!.scope.includes("manager"))
  }
}

Is this article helpful?

Tell Fauna how the article can be improved:
Visit Fauna's forums or email docs@fauna.com

Thank you for your feedback!