Open Policy Agent
Would it be possible to add an option for the Data API to return HTTP 200/403 based on the policy decision (allow/deny)? #720
Replies: 1 comment 1 reply
-
|
Hey there! Thanks for the write-up, this indeed comes up every now and then. Does this discussion cover your question? As far as I understand nginx works basically like traefik there (or the other way around, nginx predating traefik). |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the quick response! I saw the discussion you linked (re: using response body fields with nginx/traefik). |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Background
Our gateway (e.g., Ory Oathkeeper remote_json) determines allow/deny based on the upstream HTTP status code.
Today, the OPA Data API (/v1/data/...) always responds with 200 OK and a JSON body (e.g., {"result": true|false}).
Because of this, we currently need a lightweight adapter that reads the OPA result and converts it to 200/403.
Current behavior
OPA Data API: Always returns 200 when the evaluation succeeds; the decision is conveyed in the response body.
Gateway: Some gateways only support the 200 → allow / 403 → deny contract.
This leads to an interface mismatch and operational overhead from running an extra adapter.
Request
Would you consider adding an optional server setting that maps the policy decision to an HTTP status code (e.g., return 200 for allow and 403 for deny)?
Desired usage (example)
Request:
POST /v1/data/authorization/decision
Content-Type: application/json
{
"input": { "subject": "u1", "action": "read", "resource": "/orders/123" }
}
Allow (unchanged):
HTTP/1.1 200 OK
{ "result": true }
Deny (when the option is enabled):
HTTP/1.1 403 Forbidden
{ "result": false, "reason": "not_owner" }
Beta Was this translation helpful? Give feedback.
All reactions