Kuadrant / authorino

K8s-native AuthN/AuthZ service to protect your APIs.
Apache License 2.0
198 stars 31 forks source link

OpenFGA integration for fine grained authorization checking #481

Open danielloader opened 2 months ago

danielloader commented 2 months ago

Is your feature request related to some problem you are facing? Please describe that problem here.

I'd like to propose documenting how to integrate with OpenFGA (HTTP or gRPC) to do external fine grained authorization checks.

Describe the solution you'd like

An example similar to Keycloak Authorization services. Embedding middleware to do these checks in the backends has proven to be less reliable and portable than handling this at the networking layer outside of the pod.

Describe alternatives you've considered

Using Keycloak or OPA since we already use OpenFGA.

Additional context

This is just thinking aloud to gauge interest, upvote this issue if you would like to see some OpenFGA related integration.

guicassolato commented 2 months ago

Thanks for proposing this, @danielloader! You get my 👍 on this as OpenFGA integration sounds like an interesting use case for Authorino indeed.

I also would like to remind about Authorino's SpiceDB integration, which is another way to implement ReBAC with an external server, already built into the AuthConfig API.

danielloader commented 2 months ago

Yeah spotted it after I posted this, guess they compete in the same space.

Still openFGA is quite popular as far as I can tell so always good to demonstrate use with other authz services.