Appearance
Requirements for Developing an OAA Connector
Choosing your development environment and deploying an OAA connector
The Open Authorization API enables developers to push metadata to the Veza Authorization Graph using a standard JSON schema. To automate this process, you will need a way to periodically query the data source you want to integrate, populate the schema, and publish the populated template payload to your Veza instance using API calls.
You can interact with the Veza API from your client or language of choice. OAA connectors can (and have) been developed in a variety of languages. The only requirements are the ability to:
- query the source application (or read a data file, or another method) to collect identity, resource, and authorization metadata
- assemble a
dict
or similar data structure and convert to JSON - make REST API calls to publish the payload
Veza provides a Python SDK oaaclient
. This package provides functions for generating and submitting the JSON payload. The Veza developed community connectors use this toolkit, along with all integrations built by active customer developers.
Deploying your connector
You can run OAAClient as a manual CLI tool for trial purposes, but should automate any long-running OAA implementation. A DevOps or SecOps team is typically responsible for establishing continuous integration of a Veza connector.
Customers are responsible for running their own connectors. The frequency your app must run will depend on use case, ranging from daily to hourly. Veza typically refreshes metadata for built-in integrations on an hourly basis. However, you can decide to publish OAA payloads on any schedule.
At a minimum, a deployed OAA connector should be able to:
- Parse the data source and push an updated payload on a schedule
- Securely handle secrets such as API keys
Teams should follow their preferred processes and use familiar or existing platforms. Some options include:
- AWS Lambda function
- Docker/k8s-based container
- cron task
- GitHub action
Choosing between full push and incremental updates
Veza expects the default push to contain a full payload. This will overwrite all information in the updated data source.
During development, it is usually most efficient to design your parser for a full discovery. It will be easiest to design the connector to assemble and push the full payload, and use the same code to publish updates.
OAA does support incremental update
as an optional behavior–if your custom data source or identity provider provides a way to get individual changes over time, you could design your connector to parse only new or changed entities, and push updates individually (perhaps in response to detected changes). However, this approach will be more complicated. A full parse-and-push will be more efficient, unless there's a method to query the provider for differences since the last push.
To use incremental updates:
- Set the
is_incremental
flag in the payload totrue
- Add an
add
,modify
ordelete
operation to all entities