API Services AuthorizationService - evansims/openfga-php GitHub Wiki

Service implementation for authorization operations. This service handles all authorization-related queries including permission checks, relationship expansions, and object/user listing. It delegates HTTP communication to the HttpServiceInterface and uses the Result pattern for consistent error handling. The service supports various consistency levels and contextual tuple evaluation for dynamic authorization scenarios. All operations are performed against a specific store and authorization model.

OpenFGA\Services

View source code

• AuthorizationServiceInterface

• AuthorizationServiceInterface (interface)

public function batchCheck(
    OpenFGA\Models\StoreInterface|string $store,
    OpenFGA\Models\AuthorizationModelInterface|string $model,
    OpenFGA\Models\Collections\BatchCheckItemsInterface $checks,
): OpenFGA\Results\FailureInterface|OpenFGA\Results\SuccessInterface

Performs multiple authorization checks in a single batch request. This method allows checking multiple user-object relationships simultaneously for better performance when multiple authorization decisions are needed. Each check in the batch has a correlation ID to map results back to the original requests.

View source

FailureInterface | SuccessInterface — Success with BatchCheckResponse, or Failure with error details

public function check(
    OpenFGA\Models\StoreInterface|string $store,
    OpenFGA\Models\AuthorizationModelInterface|string $model,
    OpenFGA\Models\TupleKeyInterface $tupleKey,
    ?bool $trace = NULL,
    ?object $context = NULL,
    ?OpenFGA\Models\Collections\TupleKeysInterface $contextualTuples = NULL,
    ?OpenFGA\Models\Enums\Consistency $consistency = NULL,
): OpenFGA\Results\FailureInterface|OpenFGA\Results\SuccessInterface

Checks if a user has a specific relationship with an object. This method verifies whether the specified user has the given relationship (like 'reader', 'writer', or 'owner') with the target object. It's the core operation for making authorization decisions in your application.

View source

FailureInterface | SuccessInterface — Success with CheckResponse, or Failure with error details

public function expand(
    OpenFGA\Models\StoreInterface|string $store,
    OpenFGA\Models\TupleKeyInterface $tupleKey,
    ?OpenFGA\Models\AuthorizationModelInterface|string|null $model = NULL,
    ?OpenFGA\Models\Collections\TupleKeysInterface $contextualTuples = NULL,
    ?OpenFGA\Models\Enums\Consistency $consistency = NULL,
): OpenFGA\Results\FailureInterface|OpenFGA\Results\SuccessInterface

Expands a relationship tuple to show all users that have the relationship. This method recursively expands a relationship to reveal all users who have access through direct assignment, group membership, or computed relationships. It's useful for understanding why a user has a particular permission.

View source

FailureInterface | SuccessInterface — Success with ExpandResponse, or Failure with error details

public function listObjects(
    OpenFGA\Models\StoreInterface|string $store,
    OpenFGA\Models\AuthorizationModelInterface|string $model,
    string $type,
    string $relation,
    string $user,
    ?object $context = NULL,
    ?OpenFGA\Models\Collections\TupleKeysInterface $contextualTuples = NULL,
    ?OpenFGA\Models\Enums\Consistency $consistency = NULL,
): OpenFGA\Results\FailureInterface|OpenFGA\Results\SuccessInterface

Lists objects that have a specific relationship with a user. This method finds all objects of a given type that the specified user has a particular relationship with. It's useful for building filtered lists based on user permissions (for example "show all documents the user can read").

View source

FailureInterface | SuccessInterface — Success with ListObjectsResponse, or Failure with error details

public function listUsers(
    OpenFGA\Models\StoreInterface|string $store,
    OpenFGA\Models\AuthorizationModelInterface|string $model,
    string $object,
    string $relation,
    OpenFGA\Models\Collections\UserTypeFiltersInterface $userFilters,
    ?object $context = NULL,
    ?OpenFGA\Models\Collections\TupleKeysInterface $contextualTuples = NULL,
    ?OpenFGA\Models\Enums\Consistency $consistency = NULL,
): OpenFGA\Results\FailureInterface|OpenFGA\Results\SuccessInterface

Lists users that have a specific relationship with an object. This method finds all users (and optionally groups) that have a particular relationship with a specific object. It's useful for auditing access or building user interfaces that show who has permissions.

View source

FailureInterface | SuccessInterface — Success with ListUsersResponse, or Failure with error details

public function streamedListObjects(
    OpenFGA\Models\StoreInterface|string $store,
    OpenFGA\Models\AuthorizationModelInterface|string $model,
    string $type,
    string $relation,
    string $user,
    ?object $context = NULL,
    ?OpenFGA\Models\Collections\TupleKeysInterface $contextualTuples = NULL,
    ?OpenFGA\Models\Enums\Consistency $consistency = NULL,
): OpenFGA\Results\FailureInterface|OpenFGA\Results\SuccessInterface

Lists objects that a user has a specific relationship with using streaming. This method finds all objects of a given type where the specified user has the requested relationship, returning results as a stream for efficient processing of large datasets. The streaming approach is memory-efficient for large result sets.

View source

FailureInterface | SuccessInterface — Success with Generator<StreamedListObjectsResponse>, or Failure with error details