Access provider schema

Learn: Access providers

Defines an access provider.

An access provider registers an external identity provider (IdP) or JSON Web Token (JWT) issuer, such as Auth0, in your Fauna database.

Once set up, the IdP can issue JWTs that act as Fauna authentication secrets. This lets your application’s end users use the IdP for authentication.

access provider someIssuer {
  issuer "https://example.com/"
  jwks_uri "https://example.com/.well-known/jwks.json"

  role customer
}

Syntax

access provider <accessProvider> {
  issuer "<issuer>"
  jwks_uri "<jwksUri>"
  [role <role> [{
    predicate <predicateFunction>
  }] . . .]
}

Name

access provider Required

Unique name for the access provider in the database.

Must begin with a letter. Can only include letters, numbers, and underscores.

Properties

Property Required Description

issuer

Yes

Issuer for the IdP’s JWTs. Must match the iss claim in JWTs issued by the IdP.

The issuer URL. This tells Fauna which IdP is permitted to send a JWT to authorize a query to be executed.

jwks_uri

Yes

URI that points to public JSON web key sets (JWKS) for JWTs issued by the IdP. Fauna uses the keys to verify each JWT’s signature.

role

User-defined role assigned to JWTs issued by the IdP. Can’t be a built-in role.

An access provider can have multiple role properties.

Each role property can include a predicate function. If present, JWTs are only assigned the role if the predicate evaluates to true.

The predicate function is passed one argument: an object containing the JWT’s payload. The predicate function does not support shorthand syntax.

Examples

access provider someIssuer {
  issuer "https://example.com/"
  jwks_uri "https://example.com/.well-known/jwks.json"

  role customer
  role manager {
    predicate (jwt => jwt!.scope.includes("manager"))
  }
}

Is this article helpful? 

Tell Fauna how the article can be improved:
 Visit Fauna's forums or email docs@fauna.com

Thank you for your feedback!