Quarkus Zanzibar Annotations

Zanzibar annotations are compatible with both of Quarkus' JAX-RS implementations, RESTEasy Reactive and RESTEasy (Classic).

The annotations are modeled after JAX-RS Role-Based Access Control annotations and will be familiar to those who have used them. The main difference being that Zanzibar FGA annotations can dynamically determine their values from the current HTTP request.

Resource Method Annotations

Zanzibar style authorization requires 4 distinct pieces of information: the object type & object id, relation type and the user id. The extension provides resource method annotations to configure how the object and relation properties are determined from the current HTTP request and uses the standard authentication features of Quarkus to determine the user.

The resource method annotations can be placed on a single method or on a class to affect all methods of the class.

Object Type & ID Properties

The Zanzibar extension provides a number of annotations to determine the object type & id from the current request.

Annotation Description Object Id Source Object Type Source

Annotation	Description	Object Id Source	Object Type Source
`FGAPathObject`	Dynamically inspects the HTTP request path parameters.	Request path parameter.	Annotation constant.
`FGAQueryObject`	Dynamically inspects the HTTP request query parameters.	Request query parameter.	Annotation constant.
`FGAHeaderObject`	Dynamically inspects the HTTP request header values.	Request header value.	Annotation constant.
`FGARequestObject`	Dynamically inspects the generic HTTP request properties.	Request property.	Annotation constant.
`FGAObject`	Statically provides both properties in the Zanzibar annotation.	Annotation constant.	Annotation constant.

FGAPathObject

Dynamically inspects the HTTP request path parameters.

Request path parameter.

Annotation constant.

FGAQueryObject

Dynamically inspects the HTTP request query parameters.

Request query parameter.

Annotation constant.

FGAHeaderObject

Dynamically inspects the HTTP request header values.

Request header value.

Annotation constant.

FGARequestObject

Dynamically inspects the generic HTTP request properties.

Request property.

Annotation constant.

FGAObject

Statically provides both properties in the Zanzibar annotation.

Annotation constant.

While these annotations provide a large amount of options sometimes custom support will be needed; currently you can use FGARequestObject to achieve this. Any filter or other request interception method that runs before Zanzibar’s authorization filer can store a property against the current request and then extract the value using the FGARequestObject annotation.

Relation Type Properties

The relation is specified using a single annotation providing the relation as a constant.

Annotation Description Relation Type Source

Annotation	Description	Relation Type Source
`FGARelation`	Statically provides the relation type properties in the Zanzibar annotation.	Annotation constant.

FGARelation

Statically provides the relation type properties in the Zanzibar annotation.

Annotation constant.

User Type Properties

The user type is specified using a single annotation providing the type name as a constant.

Certain FGA implementations require the user to be provided as an object. For example instead of providing a user with id some-user-id as simply some-user-id, it requires the user to be in an object format such as user:some-user-id (for the user type is user).

Annotation Description Relation Type Source

Annotation	Description	Relation Type Source
`FGAUserType`	Statically provides the user type name in the Zanzibar annotation.	Annotation constant.

FGAUserType

Statically provides the user type name in the Zanzibar annotation.

Annotation constant.

User Object Type Requirements

Currently only OpenFGA’s 1.1 schema requires users in object format. The @FGAUserType will be required for all endpoints when using OpenFGA.