From c0c9365dbab8d683cf702e05a12f4ca6d8e9b211 Mon Sep 17 00:00:00 2001
From: Nikos <nikos.sklikas@canonical.com>
Date: Tue, 9 Jan 2024 16:15:47 +0200
Subject: [PATCH] chore: update readme

---
 README.md | 34 +++++++++++++++++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 817344d91..9178d3083 100644
--- a/README.md
+++ b/README.md
@@ -55,6 +55,7 @@ At the moment the application is sourcing the following from the environment:
 
 
 ## Container
+
 To build the UI oci image, you will need [rockcraft](https://canonical-rockcraft.readthedocs-hosted.com).
 
 To install rockcraft run:
@@ -106,7 +107,7 @@ export PORT=4455
 export TRACING_ENABLED=false
 export LOG_LEVEL=debug
 export AUTHORIZATION_ENABLED=false
-./cmd/app
+./app serve
 ```
 
 To test the authorizatoin code flow you can use the Ory Hydra CLI:
@@ -130,3 +131,34 @@ hydra perform authorization-code \
   --client-secret  `echo "$code_client" | yq .client_secret` \
   --scope openid,profile,email,offline_access
 ```
+
+## OpenFGA Model Creation
+
+The login UI relies to [OpenFGA](https://github.com/openfga/openfga/) for authorization decisions.
+After you deploy the OpenFGA server, you need to create the OpenFGA store and model:
+
+```console
+./login-ui-binary create-fga-model --fga-api-token $OPENFGA_API_TOKEN --fga-api-url $OPENFGA_API_URL --store-id $STORE_ID
+```
+
+To try it locally you can deploy OpenFGA using docker-compose:
+```console
+docker-compose -f docker-compose.dev.yml --build --force-recreate up
+```
+
+And run with the store:
+```console
+make build
+./app create-fga-model --fga-api-token 42 --fga-api-url http://localhost:8080 --store-id 01GP1254CHWJC1MNGVB0WDG1T0
+
+export KRATOS_PUBLIC_URL=http://localhost:4433
+export HYDRA_ADMIN_URL=http://localhost:4445
+export BASE_URL=http://localhost:4455
+export OPENFGA_API_SCHEME=http
+export OPENFGA_API_HOST=localhost:8080
+export OPENFGA_STORE_ID=01GP1254CHWJC1MNGVB0WDG1T0
+export OPENFGA_API_TOKEN=42
+export OPENFGA_AUTHORIZATION_MODEL_ID=01HGG9ZQ9PP3P6QHW93QBM55KM
+export AUTHORIZATION_ENABLED=false
+./app serve
+```