How to Restrict OIDC Clients to Administrative vs. Read-Only Calls

[sfiodorov]

We’re looking into adopting OpenFGA for our system and plan to use OIDC authentication (Duende IdentityServer, for instance). We want to limit certain clients to full administrative privileges (e.g., the ability to write relationships, manage stores, etc.), while all other clients should be restricted to read-only access (e.g., perform permission checks, but not modify data).
Is this supported today, or planned for future support?

[aaguiarz]

Hi @sfiodorov

You'd need to use this experimental feature https://openfga.dev/docs/getting-started/setup-openfga/access-control

If you give it a try, please let us know how it works for you.

[sfiodorov]

Cool.
Will test it and update here.
Thanks

[sfiodorov]

Hey again
Just to be sure.
I see in your docs that you can create a store with a command like:
fga store create --name root-access-control --model ./model.fga
Is there a way to perform that same setup using the OpenFGA REST API? For instance, in a Kubernetes deployment, we’d like to automate or script this entirely via REST rather than using the CLI and copying files

[rhamzeh]

Yep - the CLI is just calling the API over HTTP.

It's calling:

CreateStore({
  "name": "root-access-control" // feel free to put any name you like that helps you Identify it
})

aka POST /stores, with {"name": "root-access-control"} as the body

and then once you have the store

WriteAuthorizationModel({
	... json representation of the model ...
})

aka POST /stores/{store_id}/authorization-models, with the json representation of that model as the body

To transform the model to the json representation of the model using the CLI

fga model transform --file model.fga