Flipt authorization is experimental and disabled (not required) by default.

To enable authorization, you must set the experimental.authorization.enabled configuration option to true in your Flipt configuration file.

Once authorization has been set to required: true all management API routes will require a valid authentication session as well.

The UI will require a session-compatible authentication method (e.g. OIDC) to be enabled.

Flipt supports the ability to secure its core API routes by setting the required field to true on the authorization configuration object.

config.yaml
authorization:
  required: true

# required while authorization is still experimental
experimental:
  authorization:
    enabled: true

When authorization is set to required, the API will ensure valid credentials are present on all management API requests.

See the Authorization: Overview documentation for more details on Flipt’s API authorization handling.

Policies

Flipt uses Open Policy Agent (OPA) to enforce authorization policies. OPA is a general-purpose policy engine that can be used to enforce policies across the stack.

Local

Currently, Flipt only supports local policy files. These policy files must be valid Rego files.

In the future we plan to support other policy source backends such as git, object store, and others. If you have a specific use case, please get in touch!

You can specify the path to the policy file in the policy object in the authorization configuration object.

authorization:
  required: true
  policy:
    backend: local
    local:
      path: "policy.rego"

The policy must have the following package declaration:

policy.rego
package flipt.authz.v1

You can learn more about policies in our Authorization: Overview documentation.

Polling Interval

Flipt will poll the policy file for changes at a regular interval. By default, Flipt will poll the policy file every 5 minutes. You can adjust this interval by setting the poll_interval field in the policy object.

authorization:
  required: true
  policy:
    backend: local
    local:
      path: "policy.rego"
      poll_interval: "1m"

External Data

In addition to policies that can be used to enforce authorization rules, Flipt also provides a way to pass external data to the policy evaluation.

This can be done by setting the data object in the authorization configuration object.

Local

Currently, Flipt only supports local data objects. These data objects must be valid JSON objects.

In the future we plan to support other data source backends such as git, object store, and others. If you have a specific use case, please get in touch!

You can specify the path to the data file in the data object in the authorization configuration object.

authorization:
  required: true
  policy:
    backend: local
    local:
      path: "policy.rego"
  data:
    backend: local
    local:
      path: "data.json"

You can learn more about using data with policies in our Authorization: Overview documentation.

Polling Interval

Like policies, Flipt will poll data files for changes at a regular interval. By default, Flipt will poll the data file every 30 seconds. You can adjust this interval by setting the poll_interval field in the data object.

authorization:
  required: true
  data:
    backend: local
    local:
      path: "data.json"
      poll_interval: "1m"