Episode 030: 07‐16‐2024 OpenFGA Deep Dive - GluuFederation/identerati-office-hours GitHub Wiki
Title: OpenFGA Deep Dive
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: Andres Aguiar, Product & Engineering Leader Okta
- Co-Host: Damian Schenkelman, Principal Architect Okta
Description
OpenFGA (Open Fine-Grained Authorization) is a CNCF sandbox project designed to provide scalable, fine-grained access control for applications. It is based on the Zanzibar model, originally developed by Google, which offers flexible and expressive policy management. Developers might prefer OpenFGA over other authorization solutions due to its ability to handle complex relationships and permissions with high performance and low latency, making it suitable for large-scale, real-time systems. In this episode, we'll do a deep dive on OpenFGA to help identerati understand the current state and future promise.
Okta Visualization tool for OpenFGA policy store
Homework
Takeaways
-
Relationship-based Access Control (ReBAC) is a cloud authorization model that works particularly well when you have so many policies, you can't possible load them all in memory. Unlike OPA, although you could run OpenFGA as a sidecar, the PIP for OpenFGA is a normally a database, so it makes more sense to run it as a centralized cloud service.
-
File sharing is the commonly used example for ReBAC, as file sharing has a stable data model, and millions of consumers use it to define their own policies to share a plethora of resources. But OpenFGA is not limited to this use case. OpenFGA is a good way to model many authz use cases. For example Canonical is using OpenFGA to model authorization for its Juju orchestration platform.
-
Okta issues tokens and provides enterprise identity governance tools, but they didn't have a way for application developers to rely on a cloud service to authorize access request from applications. OpenFGA emerged as the best solution for their requirements. Enabling developers to externalize policies will enable them to get more value out of Okta's cloud identity services.
-
Andres and Damian were supportive of the OpenID AuthZen interface work. The AuthZen standard will need to mature a little before the work is scheduled.