security.authz

Authorization helpers for target-scoped exp configuration access.

The exp service authorizes callers differently depending on the endpoint shape:

/build-time and /run-time authorize one explicit target.
/config authorizes whichever targets own the requested key.

Both flows share the same header parsing and Easy Auth decoding primitives so the security behavior stays consistent between local and Azure deployments.

RequestLike Objects

class RequestLike(Protocol)

Minimal request protocol needed by authorization helpers.

EasyAuthClaim Objects

class EasyAuthClaim(TypedDict)

Represents one claim emitted by Azure Easy Auth.

EasyAuthPrincipal Objects

class EasyAuthPrincipal(TypedDict)

Represents the decoded Easy Auth principal payload.

AuthorizationResult Objects

@dataclass(frozen=True, slots=True)
class AuthorizationResult()

Encapsulates authorization outcome and response metadata.

authorize_target_request

def authorize_target_request(req: RequestLike | None,
                             requested_target: str) -> AuthorizationResult

Authorize access to a target-scoped build-time or run-time configuration document.

authorize_config_request

def authorize_config_request(
        req: RequestLike | None,
        allowed_targets: Sequence[str]) -> AuthorizationResult

Authorize access to a single config key owned by one or more caller targets.

// was this page useful?

RequestLike Objects​

EasyAuthClaim Objects​

EasyAuthPrincipal Objects​

AuthorizationResult Objects​

authorize_target_request​

authorize_config_request​