Introduction to authorization with OpenFGA

In the one of my previous posts I've explained some concepts related to authorization and mentioned that authorization based on the external authorization store is better idea. In this post I would like to introduce one of the solutions that enables such approach to authorization implementation.

OpenFGA (Open Fine-Grained Authorization) is an open-source project designed to handle fine-grained authorization at scale. It provides a flexible, scalable, and high-performance authorization system for modern applications.

OpenFGA features

Here are some key aspects of OpenFGA:

1. Fine-Grained Access Control

OpenFGA is designed to handle complex, fine-grained access control requirements. This means you can define very specific access policies that dictate exactly who can access what, based on a wide variety of attributes.

2. Scalability

Built to scale horizontally, OpenFGA can handle authorization at large scales, making it suitable for enterprise-level applications with high demand.

3. Flexible Authorization Model

OpenFGA uses a flexible, relationship-based authorization model. You can define roles, permissions, and relationships in a way that fits your specific use case, enabling complex policy definitions.

4. Policy-as-Code

OpenFGA supports policy-as-code, allowing you to define and manage access control policies programmatically. This integrates well with modern development practices and CI/CD pipelines.

5. High Performance

The system is optimized for low-latency queries, ensuring that authorization decisions are made quickly, even under heavy load.

6. Auditability

OpenFGA provides robust logging and auditing features, making it easier to track access decisions and understand why specific decisions were made. This is crucial for compliance and security monitoring.

7. API-First Design

OpenFGA is designed with an API-first approach, making it easy to integrate with existing applications. It provides RESTful APIs to manage authorization data and evaluate access policies.

8. Open Source

As an open-source project, OpenFGA provides the flexibility to customize and extend the platform as needed. This also means that you can self-host it if desired.

9. Compatibility and Interoperability

OpenFGA is designed to work with existing identity providers and integrates well with other parts of an organization's tech stack, such as databases, microservices, and cloud infrastructure.

10. Community and Ecosystem

As an open-source project, OpenFGA has an active community that contributes to its development and provides support through forums and documentation.

11. Graph-Based Authorization

OpenFGA’s model is often graph-based, where relationships between users, roles, and resources are represented as a graph, enabling sophisticated and dynamic access controls that adapt to complex organizational structures.

To summarize, OpenFGA is a robust solution for implementing fine-grained authorization in applications that require detailed and scalable access control mechanisms.

Implementation concepts with OpenFGA

Let's discover some of the implementation concepts. To integrate OpenFGA with our applications, we can either use OpenFGA REST API directly or choose to use one of the available SDKs (like for Node.js or .NET).

Once we decide which method to use, next steps are:

1. Creation of authorization store - an OpenFGA entity that contains the authorization data. You will need to create a store in OpenFGA before adding an authorization model.

2. Creation of authorization model - authorization model is fundamental. Before making any authorization decisions, model has to be created basing on your needs and application functionalities.

3. Creation of relationship tuples - a base tuple/triplet consisting of a user, relation, and object. An authorization model, together with relationship tuples, determinate whether a relationship exists between a user and an object.

Once the above steps are complete, we can perform authorization checks to determine whether a user has a certain relationship with an object. There is a great modeling guide provided.

OpenFGA Playground

There is one more very helpful tool - OpenFGA Playground.

The FGA Playground is a learning tool meant to help you learn and play with Fine Grained Authorization (FGA). It allows you to easily create, visualize, share and test your authorization models. If you want to access Okta FGA Playground, it is available under this link. There are also sample models available for tests and learning.

Hosting options for OpenFGA

When it comes to OpenFGA deployment, there are multiple options:

1. We can use Okta Fine Grained Authorization which is a SaaS product fully managed for us by Okta.

2. We can run our own OpenFGA server using Docker and host it in any place we want.

3. We can run our own OpenFGA server in Kubernetes cluster.

It is worth to add that OpenFGA uses database to store authorization information. We can either use Postgres or MySQL databases.

Summary

In this post I explained what OpenFGA is and what are some of its capabilities. This is only the introduction. In the video published on my YouTube channel I explain more some implementation details and present how to host OpenFGA securely in Microsoft Azure cloud.