search

openfga / openfga

A high performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar
https://openfga.dev
Apache License 2.0
2.7k stars 181 forks source link

Authenticate services using SPIFFE #1704

Open aaguiarz opened 2 months ago

aaguiarz commented 2 months ago

Checklist

Describe the problem you'd like to have solved

Currently services are authenticated to OpenFGA using shared secrets or OAuth, but not SPIFFE

Describe the ideal solution

Provide a way to authenticate clients using SPIFFE

Alternatives and current workarounds

Use shared keys or OAuth for authorization

Additional context

-

rficcaglia commented 2 months ago

it should be noted from the SPIFFE docs:

Being a bearer token, JWT-SVIDs are susceptible to replay attacks. By requiring that the aud and exp claims be set, this specification has taken steps to improve the situation, but is unable to solve it completely while retaining validation compatibility with [RFC 7515](https://tools.ietf.org/html/rfc7519). It is very important to understand this risk.

so really x.509 SVIDs specifically would be preferred if using SPIFFE. Using JWT SVIDs may not offer much better security than just the current OAuth capability.