Policy Library
This library collects reusable Rego patterns for PBAC extensions. Each entry follows the same structure: the problem it solves, a complete Rego implementation, the policy data it reads, a test you can run against a live instance, and common variations.
All examples target the oauth.evaluations_ext package (called during /token and /introspect) unless otherwise noted. For background on how extensions work, see the Rego for PBAC primer.
Patterns
| Pattern | What it does |
|---|---|
| Deny by Default | Start with everything denied. Grant access via explicit allowlists in policy data. |
| Attribute-Based Access | Gate decisions on software statement claims, subject attributes, or PIP-sourced data. |
| Time-Bound Access | Set short token TTLs for agent clients, restrict access to business hours, or expire grants automatically. |
| Delegation Chains | Validate token exchange chains — enforce depth limits and prevent scope expansion across hops. |
| Agent Trust Tiers | Provider-based trust levels for MCP agents — scope denial, TTL reduction, and single-use tokens. |
Coming next��
MCP-server-specific patterns built on the generic ones above. We plan to add:
- GitHub — separating
repos:writefromprs:merge, per-repo scope narrowing - PostgreSQL — read / write / DDL scope models, query-type enforcement
- Google Workspace — step-up for
gmail:send, admin surface isolation - Slack — gating
slack:writeper channel or per time window
Each will pair a ready-made Rego pattern with the corresponding policy data and test plan. If there's a backend you need a pattern for, tell us.
How to read these examples
Each pattern page is structured the same way:
- Problem — what authorization requirement this addresses
- Rego — the complete extension, ready to load via the admin API or the dashboard's policy editor
- Policy data — the JSON payload to seed under the appropriate
data.oauthkey - Test — curl commands to verify allowed and denied cases against a running instance
- Variations — common modifications and how to combine with other patterns
Policy data keys live under data.oauth in your seed payload but are available in Rego as data.oauth_config.* — PBAC rewrites the key to prevent OPA recursion during bundle evaluation. Use data.oauth_config (not data.oauth) in all Rego references.