As a developer that is leveraging Open Policy Agent I want to use OpenFGA for fine grained authorization.
When using OPA, the data that the policy needs to use is provided by whoever is enforcing the policy. For example, if the policy says that it an only be used by members of a specific group, the group information need to provided to the policy. It can be obtained from an identity token, or by making a call to a service/database to obtain it.
We want to allow OPA users to easily call the OpenFGA ‘check’ API as part of the policy decision. In that way, OpenFGA can be utilized as another Policy Information Point along other pieces of information. This allows existing OPA users to leverage OpenFGA.
To achieve that we need to integrate OpenFGA with “Rego”, the language used to define policies in OPA.
When using OPA, the data that the policy needs to use is provided by whoever is enforcing the policy. For example, if the policy says that it an only be used by members of a specific group, the group information need to provided to the policy. It can be obtained from an identity token, or by making a call to a service/database to obtain it.
We want to allow OPA users to easily call the OpenFGA ‘check’ API as part of the policy decision. In that way, OpenFGA can be utilized as another Policy Information Point along other pieces of information. This allows existing OPA users to leverage OpenFGA.
To achieve that we need to integrate OpenFGA with “Rego”, the language used to define policies in OPA.
Given there's already a third party OPA integration https://github.com/thomasdarimont/custom-opa-openfga, it's not clear if we should invest on this in the near future.