I posted this because using an authorization server like OpenFGA creates a real issue: syncing authorization related data.
There's identity data that needs to be synced (from an identity provider). This seemed like a cool open source solution for that. It's not enough, of course.
You also need to sync data between your application/domain and the authorization server to have accurate authorization decisions. But other than using the authorization server's SDK, I don't think there's a general solution to that problem.
Disclaimers: I have not used this software. I don't know if it is maintained. I also work for a company that has competitive offerings for both Keycloak and OpenFGA.
MidnightRider39•1d ago
In your view why is using the AuthZ server SDK not a good solution - or maybe other way around, what would be a more general solution?
mooreds•1d ago
I was more musing than anything else. I don't think application data is standardized enough to use a more general solution. This is true across all AuthZ servers; it's not an OpenFGA problem.
Maybe there's a mapping layer that is possible (similar to ETL) that moves it out of code into configuration? But I'm not sure.
Of course, if you end up sending all data contextually, you are better suited with a different solution that does not require a server roundtrip like Cedar.
Overall, it's interesting. OIDC is probably the most common practice for inter-service authentication today. The problem is that in practice, I've seen many configurations where OIDC could be used as an attack vector (missing sub claim condition, which effectively allows any token to assume the role).
elevation•18h ago
I'd never heard of OpenFGA and considered playing with it. The ideal demo for me would be granular permissions in an application like gitea/forgejo. Since they're both golang binaries I could spin this up in a lab pretty quickly. But it seems this has to be integrated deeply in the application; I couldn't find any real world applications that have turnkey support.
mooreds•1d ago
There's identity data that needs to be synced (from an identity provider). This seemed like a cool open source solution for that. It's not enough, of course.
You also need to sync data between your application/domain and the authorization server to have accurate authorization decisions. But other than using the authorization server's SDK, I don't think there's a general solution to that problem.
Disclaimers: I have not used this software. I don't know if it is maintained. I also work for a company that has competitive offerings for both Keycloak and OpenFGA.
MidnightRider39•1d ago
mooreds•1d ago
Maybe there's a mapping layer that is possible (similar to ETL) that moves it out of code into configuration? But I'm not sure.
aaguiarz•1d ago
Of course, if you end up sending all data contextually, you are better suited with a different solution that does not require a server roundtrip like Cedar.
This repo compares differences between the OpenFGA approach and the Cedar approach https://github.com/openfga/openfga-cedar-comparison