Warrant Changelog — March 2024
We were quite busy in the month of March, and we're excited to tell everyone about some of the new features we added. In this changelog, we'll cover (1) Check API & client SDK support for OIDC-based ID tokens, (2) some major additions to the Query API + performance improvements to the Check & Query APIs, (3) the addition of graph visualizations in the dashboard, and (4) the ability to create object types without any relations (a simple but much awaited feature). Let's get into it!
Use Your Own AuthN Tokens
The Check API and our client-side SDKs (React, Vue, etc.) now support using OIDC-based ID tokens directly! For teams using our client-side SDKs to show/hide elements in their UI using one of our client-side SDKs, this means you no longer need to create a separate Warrant session token every time you initiate a session for your users.
This flow works for any OIDC compliant authentication provider with an available JSON Web Key Set (JWKS) endpoint and can be setup/configured from your Account page in the Warrant dashboard. Learn more about using third party authentication tokens with the Warrant API from our docs sections on Authentication and Identity Provider Sessions.
Query API Policy Support
The Query API now supports policies! For customers using policies + context in their warrants (e.g. ip_address in ["10.0.0.32/16"]
), the Query API wasn't a great option for listing a user's access rules because it didn't support evaluating policies during query resolution. We've finally added support for this. The Query API now accepts a context
parameter through which clients can pass contextual data used for evaluating policies encountered during query resolution. Server-side SDK support is already in progress and rolled out in some SDKs. Learn more about the new context
parameter here.
Batch Check + Query Performance Improvements
The batch check operation on the Check API now runs check requests in parallel, boasting a significant performance improvement over the previous implementation. We've also dramatically improved performance of the Query API, leveraging a lot more parallelism and caching to do so. If you've used either the batch check or the Query API in the past, try them out again to see the difference!
Graph Visualizations
While using Warrant makes it easier for engineering teams to build complex authorization, it can sometimes be difficult to visualize what an authorization model (or subset of the model) looks like in practice. For example, understanding how a user has access to a particular resource. We've been experimenting with graph visualizations to make it easier to understand what an application's authorization graph looks like. We've added the very first visualization in the FGAC > Check
page. When confirming whether or not a user has a particular permission from this page, users will now be shown a useful graph visualization explaining exactly how the given subject has access to the given resource.
Create Object Types without Relations
Finally, a simple but much awaited feature, object types can now be created without any relations. You might be wondering, why would anyone want to create an object type without any relations? It's especially useful for object types that are usually leaf nodes in the authorization graph and won't have any relations defined on them. A user
object type is a great example:
{
"type": "user",
"relations": {}
}
Until now, object types representing these leaf node object types required a dummy/placeholder relation that led to confusion on some teams. We've lifted this requirement, so that's no longer the case.
That's all for this batch of updates! If there's a feature or improvement you'd like to see us work on next, join our Slack Community and let us know! As always, happy building! 🛠️