Lib.rs

Authentication
#client #authorization #model #optional #management #credentials #bearer

openfga-client

Type-safe client SDK for OpenFGA with optional Authorization Model management and Authentication (Bearer or Client Credentials)

Owned by c-thiel.

4 releases

new 0.2.0 Mar 3, 2025
0.1.2 Feb 27, 2025
0.1.1 Feb 25, 2025
0.1.0 Feb 25, 2025

#133 in Authentication

Download history

187 downloads per month

Apache-2.0

1.5MB
22K SLoC

OpenFGA Rust Client SDK

Crates.io License Tests

OpenFGA Rust Client is a type-safe gRPC client for OpenFGA with optional Authorization Model management and Authentication (Bearer or Client Credentials).

Features

  • Type-safe client for OpenFGA (gRPC) build on tonic
  • (JSON) Serialization and deserialization for Authorization Models in addition to protobuf Messages
  • Uses vendored-protoc for well-known types - Rust files are pre-generated.
  • Optional Authorization Model management with Migration hooks. Ideal for stateless deployments. State is managed exclusively in OpenFGA. This enables fully automated model management by your Application without re-writing of Authorization Models on startup.
  • Optional Authentication (Bearer or Client Credentials) via the Middle Crate. (Feature: auth-middle)
  • Convenience functions like read_all_tuples (handles pagination), get_store_by_name and more.

Usage

Basic Usage

use openfga_client::client::OpenFgaServiceClient;
use tonic::transport::Channel;
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let endpoint = "http://localhost:8081";
    let service_client = OpenFgaServiceClient::connect(endpoint).await?;
    // Use the client to interact with OpenFGA
    Ok(())
}

Bearer Token Authentication (API-Key)

use openfga_client::{client::BasicOpenFgaServiceClient, url};
fn main() -> Result<(), Box<dyn std::error::Error>> {
    let endpoint = url::Url::parse("http://localhost:8081")?;
    let token = "your-bearer-token";
    let service_client = BasicOpenFgaServiceClient::new_with_basic_auth(endpoint, token)?;
    // Use the client to interact with OpenFGA
    Ok(())
}

Client Credential Authentication

use openfga_client::client::BasicOpenFgaServiceClient;
use url::Url;
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let endpoint = Url::parse("http://localhost:8081")?;
    let client_id = "your-client-id";
    let client_secret = "your-client-secret";
    let token_endpoint = Url::parse("http://localhost:8081/token")?;
    let scopes = vec!["scope1", "scope2"];
    let service_client = BasicOpenFgaServiceClient::new_with_client_credentials(endpoint, client_id, client_secret, token_endpoint, &scopes).await?;
    // Use the client to interact with OpenFGA
    Ok(())
}

License

This project is licensed under the Apache-2.0 License. See the LICENSE file for details.

Contributing

Contributions are welcome! Please open an issue or submit a pull request on GitHub.

Dependencies

~9–27MB
~421K SLoC