Skip to main content

Authorizer Client

AuthorizerClient is the low-level interface that talks to the Aserto authorization API. It can be used on its own to make authorization requests or, more commonly, it can be used to create authorization middleware.

Create a Client

import (
    "log"

    "github.com/aserto-dev/go-aserto"
    "github.com/aserto-dev/go-aserto/az"
)

...

azClient, err := az.New(
    aserto.WithAPIKeyAuth("<Aserto authorizer API key"),
    aserto.WithTenantID("<Aserto tenant ID>"),
)
if err != nil {
    log.Fatal("Failed to create authorizer client:", err)
}
defer azClient.Close()

Make Authorization Calls

Using an authorizer client we can call the Is() API to check if a user is authorized to perform an operation.

import (
    "context"
    "fmt"
    "log"

    "github.com/aserto-dev/go-authorizer/aserto/authorizer/v2"
    "github.com/aserto-dev/go-authorizer/aserto/authorizer/v2/api"
)

...

ctx := context.Background()

result, err := azClient.Is(ctx, &authorizer.IsRequest{
    IdentityContext: &api.IdentityContext{          // The user performing the operation.
        Type: api.IdentityType_IDENTITY_TYPE_SUB,
        Identity: "username",
    },
    PolicyContext: &api.PolicyContext{
        Path:      "peoplefinder.GET.users",  // Policy module to evaluate.
        Decisions: []string{"allowed"},       // Policy rules to evaluate.
    },
    PolicyInstance: &api.PolicyInstance {
        Name: "<policy name>",
    },
})
if err != nil {
    log.Fatal("Failed to call authorizer:", err)
}

// Check the authorizer's decision.
for _, decision := range result.Decisions {
    if decision.Decision == "allowed" {
        if decision.Is {
            fmt.Println("Access granted")
        } else {
            fmt.Println("Access denied")
        }
    }
}

We can similarly call the DecisionTree() and Query() APIs.