Local Authorization Enhancements: What’s New and Why It Matters

Note: If you didn’t see our blog post Launching Local Authorization, we renamed “Distributed Authorization” to “Local Authorization” to reflect a more accurate approach to solving authorization challenges. Local Authorization keeps data local for decisions, centralizes logic in Oso Cloud, and simplifies workflows by avoiding unnecessary data syncs, ensuring consistency and flexibility.

We’ve made significant updates to Oso’s Local Authorization capabilities in our V2 SDKs (Node.js, Go, Python). These enhancements allow you to define complex authorization rules and adapt them to varied use cases.

Context facts in V2 clients

You can now include context facts in any of the Local Check API’s. 

Why should context facts matter to you?

Context facts are temporary data specific to requests, sessions, or locations that enhance authorization decisions by adapting logic to the current context without requiring database storage.

You can now include context facts in Local Check APIs, enabling dynamic, real-time authorization decisions based on request-specific details like session data or location. For example, if your application needs to restrict access based on whether a request is from a specific IP address, you can include that as a context fact without modifying your database.

How can you use them?

Imagine some authorization decisions depend on whether the request originated from within the European Union. This is how you could include that information as a context fact using the Python SDK and SQLAlchemy:

alice = Value("User", "alice")
acme = Value("Repo", "acme")‍

query = oso.authorize_local(alice, "read", acme, [("request_from_eu", True)])
authorized = session.execute(sqlalchemy.text(query)).scalar()
if not authorized:  
   raise Exception("Action is not allowed")

The Query Builder for Local Authorization in V2 clients

We've added Local Authorization support to the Query Builder. You can use the Query Builder to construct virtually any question about authorization, and get back a SQL query that you can run against your own database to fetch the answer. This allows you to evaluate permissions based on local data without syncing with centralized storage. 

Why should the query builder matter to you?

Authorization often requires complex database queries, and while our existing authorizeLocal, actionsLocal, and listLocal APIs handle most common cases well, they lack the flexibility to address every scenario—making the Query Builder crucial.

Now, the Query Builder empowers you to:

  • Construct and run precise SQL queries directly from your policies.
  • Allows you to chain methods and combine conditions, relationships, and constraints to define accessible data.
  • Ensure your database queries stay consistent with your authorization logic.

This simplifies fetching authorized resources, like projects a user can view or files they can edit, while ensuring database queries align with your policies.

How can you use them?

Here's an example on querying for authorized repos that belong to a specific organization, using the Python SDK and SQLAlchemy:

actor = Value("User", "bob")
repo_var = typed_var("Repository")
org = Value("Org", "coolguys")
sql_query = (oso
    .build_query(("allow", actor, "read", repo_var))
    .and_(("has_relation", repo_var, "parent", org))
    .evaluate_local_select({"repo_id": repo_var})
)
# => 'SELECT "repo_id" FROM (... /* only repos bob can read which belong to coolguys */)'
session.execute(sqlalchemy.sql.text(sql_query)).scalars().all()
# => ["acme", "anvil"]


With this feature, you save time and avoid errors by generating queries directly from your policy rules.

The Query Builder is available in our V2 SDKs– Node.js, Go, and Python

Recursion in Local Authorization

It's fairly common for policy logic to be recursive-- for example, it's hard to imagine how to model files and folders without recursion, or to cascade permissions through hierarchical structures like organizations or teams.

Previously, recursion was only available for centralized data. With our new Local Recursion support, you can apply recursive policy logic directly on local data, enabling more flexible decision-making. 

Local recursion is not quite generally available yet-- we're slowly rolling it out. We will let you know when it is GA! 

Get Started Today

To wrap it up, the updates to Oso’s Local Authorization in the V2 SDKs make it easier to build flexible authorization workflows. With tools like context facts, the Query Builder, and local recursion, you can handle complex scenarios while keeping your data local and your policies consistent. 

We’d love to hear your feedback as you explore these features—let us know how they’re making your life easier!

Want us to remind you?
We'll email you before the event with a friendly reminder.

Write your first policy