Authorization as a service through OpenFGA

[kameshraj]

Hi
My company has multiple products, and we are using Auth0 for authentication (CIAM). I want to use OpenFGA and provide authorization-as-a-service for all products in the company. I want to define a few policies to avoid products (teams) stepping on others' toes.

• Each team defines its authorization models (DSL) and manages it.
• Restrict team-B updating team-A's authorization model.
• Allow products to cross-check relationships (product-A can check permission on product-B)
• Define authorization models (DSL) in a GitHub repo and have it synced with OpenFGA for changes
• Restrict who can query for permission or relationships

Are this possible with OpenFGA?

[kameshraj]

bump!

[aaguiarz]

Hi @kameshraj

I apologize fo the delay answering.

The current authorization model for OpenFGA does not allow to do what you want to achieve. However, we are thinking of ways it could be extended to support it. This RFC mentions some possible approaches openfga/rfcs#10

Basically, you'd need to issue API credentials for Team A and Team B for both stores, and restrict the operations that Team A's credentials can perform in Team B's store (e.g. only call Check/Read/ListObjects).

If you wan to achieve it today, you'd need to write your own Authorization logic and plug it in your own run.go file, using openfga as a library. This line shows how we are currently wiring it

[kameshraj]

Thank you, that helps

[aaguiarz]

We added this to our roadmap openfga/roadmap#30