OpenFGA

OpenFGA is the fine-grained authorization engine. It implements relationship-based access control (ReBAC) — think "can user X perform action Y on resource Z?"

Details

Field	Value
Endpoint	Internal only — `openfga.internal.icydesert-76825898.southindia.azurecontainerapps.io`
Azure name	`openfga`
Resource group	`testing`
Environment	`cerebro-auth-env` (South India)
Image	`openfga/openfga:latest`
Port	8080
Visibility	Internal (VNet only)

Database

OpenFGA stores authorization data in PostgreSQL:

Server: cerebro-authstack-pg
Database: openfga

The database was initialized via the openfga-migrate job (a one-time migration Container App Job).

How It Works

OpenFGA uses an authorization model that you define, then you write tuples (user → relation → object) that encode permissions. Services query OpenFGA to check Check(user, relation, object).

Example check

curl -X POST http://openfga.internal.../stores/<store-id>/check \
  -H "Content-Type: application/json" \
  -d '{
    "tuple_key": {
      "user": "user:alice",
      "relation": "reviewer",
      "object": "campaign:123"
    }
  }'

Viewing the API (from inside the VNet)

OpenFGA is internal-only. To interact with it from outside:

# Port-forward via a container app exec session
az containerapp exec \
  --name authstack-toolbox \
  --resource-group testing \
  --command "/bin/sh"

# Then inside the container:
curl http://openfga.internal.icydesert-76825898.southindia.azurecontainerapps.io/healthz

View Logs

az containerapp logs show \
  --name openfga \
  --resource-group testing \
  --tail 50

Update Image

az containerapp update \
  --name openfga \
  --resource-group testing \
  --image openfga/openfga:v1.x.x   # pin to a specific version

Details​

Database​

How It Works​

Example check​

Viewing the API (from inside the VNet)​

View Logs​

Update Image​