AccessProvider

An AccessProvider is a document within a Fauna database that configures one half of the relationship required to access authentication information from an external identity provider. The other half of the relationship is configured in the identity provider.

Definition

An AccessProvider document has this structure:

{
  ref: AccessProvider("Auth0-myapp"),
  ts: 1604524688650000,
  name: 'Auth0-myapp',
  issuer: 'https://myapp.auth0.com/',
  jwks_uri: 'https://myapp.auth0.com/.well-known/jwks.json',
  audience: 'https://db.fauna.com/db/yxuihtdghybyy'
}

Field Name Field Type Definition and Requirements

Field Name	Field Type	Definition and Requirements
`name`	String	A unique name for the AccessProvider. You can use this name to retrieve the AccessProvider later.
`issuer`	String	An HTTPS URI for the IdP that you are using to grant access to Fauna. This is typically an account-/app-specific URI that your IdP provides.
`jwks_uri`	String	A valid HTTPS URI, which should serve the JSON Web Key that signs the JWT tokens from your IdP.
`roles`	Array of Role References or Role-predicate objects.	Optional - Defines the roles that should be evaluated to determine access for a provided JWT token. When `roles` is not specified, no privileges are defined — queries with JWT tokens from the specified `issuer` cannot be processed. The usual use of `roles` is to specify a list of one or more Role references: `roles: [ Role('developers'), Role('managers') ]` Per overlapping roles, any role that grants access means that the query involving a JWT token is processed, even if another Role might deny access. A Role-predicate object specifies a Role to potentially evaluate, whose evaluation is determined by the specified predicate function: `{ role: Role('executives'), predicate: Query(Lambda("accessToken", ... )), }` The `predicate` function is passed an object representing the `payload` field from the JWT token. The `payload` field contains claims, which are statements about the user represented by the JWT token. How these claims are specified/interpreted can vary depending on the IdP. See https://jwt.io/introduction/ for background information, and your IdP’s documentation, for more details. The `predicate` function must return a boolean value, and if the result is `true`, the specified Role is evaluated to determine whether the access required to execute the query (in the request accompanying the JWT token) has been granted.
`data`	Object	Optional - Contains user-defined metadata for the AccessProvider. It is provided for the developer to store AccessProvider-relevant information.
`audience`	String	Read only - A unique URL for your database that should be used in the `audience` configuration for an identity provider. Fauna creates this field automatically when you create a database (see the `CreateDatabase` function).

name

String

A unique name for the AccessProvider. You can use this name to retrieve the AccessProvider later.

issuer

String

An HTTPS URI for the IdP that you are using to grant access to Fauna. This is typically an account-/app-specific URI that your IdP provides.

jwks_uri

String

A valid HTTPS URI, which should serve the JSON Web Key that signs the JWT tokens from your IdP.

roles

Array of Role References or Role-predicate objects.

Optional - Defines the roles that should be evaluated to determine access for a provided JWT token.

When roles is not specified, no privileges are defined — queries with JWT tokens from the specified issuer cannot be processed.

The usual use of roles is to specify a list of one or more Role references:

roles: [ Role('developers'), Role('managers') ]

Per overlapping roles, any role that grants access means that the query involving a JWT token is processed, even if another Role might deny access.

A Role-predicate object specifies a Role to potentially evaluate, whose evaluation is determined by the specified predicate function:

{
  role: Role('executives'),
  predicate: Query(Lambda("accessToken", ... )),
}

The predicate function is passed an object representing the payload field from the JWT token. The payload field contains claims, which are statements about the user represented by the JWT token. How these claims are specified/interpreted can vary depending on the IdP. See https://jwt.io/introduction/ for background information, and your IdP’s documentation, for more details.

The predicate function must return a boolean value, and if the result is true, the specified Role is evaluated to determine whether the access required to execute the query (in the request accompanying the JWT token) has been granted.

data

Object

Optional - Contains user-defined metadata for the AccessProvider. It is provided for the developer to store AccessProvider-relevant information.

audience

String

Read only - A unique URL for your database that should be used in the audience configuration for an identity provider. Fauna creates this field automatically when you create a database (see the CreateDatabase function).

CreateAccessProvider

Was this article helpful?

We're sorry to hear that.
Tell us how we can improve!
Visit Fauna's Discourse forums or email docs@fauna.com

Thank you for your feedback!

AccessProvider

Definition

Related

Keyboard shortcuts

While reading

While searching

URL fragments