Skip to main content

OPA Spring Boot SDK Policy Input/Output Schema

The OPA Spring Boot SDK makes calls to Enterprise OPA or Open Policy Agent to request an authorization decision.

The policy that processes these authorization decision requests must know the structure of the input given by OPA Spring Boot, and must return an appropriately structured output.

The following is a reference for these schemas:

Endpoint Authorization

With endpoint authorization, the OPA Spring Boot SDK sends an authorization request on every call to an API endpoint.

Input

ParameterTypeValueDescription
input.resource.typeStringendpointA constant describing the type of resource being accessed.
input.resource.idStringEndpoint servlet path
input.action.nameStringGET, POST, PUT, PATCH, HEAD, OPTIONS, TRACE, or DELETEHTTP request method
input.action.protocolStringHTTP protocol for request, e.g. HTTP 1.1
input.action.headersMap[String, Any]HTTP headers of requestNot guaranteed to be present.
input.context.typeStringhttpA constant describing the type of contextual information provided
input.context.hostStringHTTP remote host of request
input.context.ipStringHTTP remote IP of request
input.context.portStringHTTP remote port for request
input.context.dataMap[String, Any]Optional supplemental data you can inject using a ContextDataProvider implementation
input.subject.typeStringjava_authenticationA constant describing the kind of subject being provided.
input.subject.idStringSpring authN principalID representing the subject being authorized.
input.subject.detailsStringSpring authN details
input.subject.authoritiesStringSpring authN authorities

Output

ParameterTypeRequiredDescription
output.decisionBoolean. true if and only if the request should be allowed to proceed, else falseYesThe decision of the authorization request
output.context.idStringYesAuthZEN Reason Object ID
output.context.reason_adminMap[String, String]NoAuthZEN Reason Field Object, for administrative use
output.context.reason_userMap[String, String]NoAuthZEN Reason Field Object, for user-facing error messages
output.context.dataMap[String, Any]NoOptional supplemental data provided by your OPA policy