Validate Request with Open Policy Agent (OPA)

The Open Policy Agent (OPA) is an open source, general-purpose policy engine that unifies policy enforcement. In Choreo Connect, you can offload some responsibility of making the decision to authorize or not when a consumer invokes APIs based on policies attached to APIs.

Choreo Connect uses OPA’s policy evaluation REST API interface to communicate with OPA. Following diagram describes the request/response of OPA validation.

Tip

You can deploy OPA server as a sidecar with Choreo Connect Runtime (Enforcer and Router) in a Kubernetes deployment, if you want to improve communication between Enforcer and OPA server.

Choreo Connect OPA request flow

Numbers Description
1 Client request
2 Request to validate (i.e. authentication, rate-limiting, OPA validation and other validations) the client request through Enforcer
3 Enforcer calling the OPA server with the JSON payload described in Request Payload to the OPA server
4 Response from OPA server after validating the request as described in Response Payload from the OPA server
5 Respond the validation status to the Router
6,7 Response from the backend
8 Response to the client

Please refer the documentation on Validate Request with Open Policy Agent (OPA) to learn how to attach and configure OPA policies to APIs.

Top