Approaching Fine-Grained Authorization at scale using OpenFGA

Sathiyaraman M
21 October 2024
Authorization OpenFGA vipanan-test

There are lot of ways for setting up Authentication while developing an application.

And most of the time, they are pretty much easy, compared to what comes next – Authorization.

Sometimes authorization remains as simple as just being authenticated (Basically no authorization) or it becomes as hard as being very specific to the currently authenticated user (Fine-grained Authorization), say only John can download that confidential document. Worse part is that it can become too rigid and very messy over time.

We had a specific use-case where we need to implement fine-grained authorization but flexible enough to change authorization rules. We quickly realised the Authorization rules shouldn’t be tied inside the code, or else this would mean that a rule change needs a redeployment.

So we decided to use an external authorization solution that stores all authorization rules and evaluates current authorization for something, on demand. An example would be like James creates a new blog in our platform and only he/she can edit the blog. The Authorization solution should store the context that a new blog is created and James is the author of the blog.

We evaluated some of the options and settled with OpenFGA.

What is OpenFGA?

OpenFGA is an open-source authorization solution that uses ideas from Google’s Zanzibar paper to implement relationship-based access control. They provide a modelling language to write down your domain objects and use their relationships to establish access controls.

A Simple example would be GitHub Repository Access. Say you create a github repo and you provide to John.