@pre-authorization

Variant of @pre-execute for @authorization which is only executed for authorization requests. If this pipeline rejects, the main @authorization and @post-authorization pipelines are skipped, and the request is rejected immediately.

Note: The @ prefix is required for pipeline blocks. The legacy syntax without @ (e.g., pre-authorization {}) is deprecated and emits warnings. Use @pre-authorization {} for new configurations.

See also

• Execution context - Available variables
• Actions - Available actions
• Pipeline directives - Control flow

Example

@pre-authorization {
    backend "LDAP_DIRECTORY";
    if all {
        user.group == "banned";
    } then {
        reject;
    }
}