Authorization Query Handling Flow

To better understand how Oso processes authorization queries, this document outlines how authorization queries flow through the system.

Query processing architecture

When a client makes an authorization query to Oso Cloud, it follows this path:

1. Client sends an authorization query.
2. Policy evaluation determines which authorization data needs to be evaluated.
3. Authorization data evaluation processes the query against centralized authorization data, and sends the response to the clients.

Query processing stages

Authorization queries go through the following stages:

1. In Policy evaluation:

   1. Policy Compilation: The query is compiled into Oso's internal representation.

      For efficiency, Oso Cloud caches the translation of policies that haven't changed, amortizing the conversion cost across multiple requests. This means compilation typically contributes minimal latency to individual requests.

   2. Policy Unification: Oso evaluates the query in context of the policy, determining which constraints are satisfied by rules in the policy.

   3. SQL Binding: Unsatisfied constraints are converted into SQL queries, which are run against your environment's centralized authorization data.

2. In Authorization data evaluation, Oso performs SQL evaluation, where the bound SQL queries are executed to determine if the constraints can be satisfied.

   In the case of Local Authorization, Oso tries to convert any unsatisfied constraints into queries that can be evaluated locally to determine authorization, based on your local authz config.