OpenFGA — Fine-Grained Authorization at Scale

Introduction

OpenFGA is a CNCF sandbox project that implements a relationship-based access control (ReBAC) engine inspired by Google's Zanzibar paper. It lets developers define authorization models as type-relation graphs and evaluate permission checks in sub-millisecond latency at scale.

What OpenFGA Does

• Evaluates fine-grained authorization checks based on object-relation-user tuples
• Models complex permission hierarchies like folders, teams, roles, and sharing
• Provides SDKs for Go, Node.js, Python, Java, and .NET
• Supports contextual tuples for request-time conditions like IP range or time of day
• Runs as a standalone server or embedded library

Architecture Overview

OpenFGA stores authorization data as relationship tuples (user, relation, object) in a backend datastore, either PostgreSQL or MySQL. Authorization models are written in a DSL that defines types, relations, and how permissions are derived through union, intersection, and exclusion operators. The Check API resolves whether a user has a relation to an object by traversing the tuple graph, using caching and concurrency to keep latency low.

Self-Hosting & Configuration

• Run via Docker, the official Helm chart, or prebuilt binaries for Linux and macOS
• Configure PostgreSQL or MySQL as the persistent tuple store
• Write authorization models in the OpenFGA DSL or JSON format
• Use the FGA CLI to test models locally before deploying them
• Deploy behind a reverse proxy with mTLS for production security

Key Features

• Zanzibar-inspired ReBAC engine for modeling any permission pattern
• Sub-millisecond check latency with built-in caching and graph traversal optimization
• Authorization model language with visual playground for rapid prototyping
• Contextual tuples for dynamic, request-time access decisions
• CNCF sandbox project with production use at Auth0, Okta, and Twitch

Comparison with Similar Tools

• OPA (Open Policy Agent) — General-purpose policy engine using Rego; OpenFGA specializes in relationship-based access control with a purpose-built graph engine
• Casbin — Embeddable ACL/RBAC library; OpenFGA offers a dedicated server with tuple storage and Zanzibar-scale graph evaluation
• SpiceDB — Also Zanzibar-inspired; OpenFGA is CNCF-backed with broader SDK support and Auth0 production lineage
• Keycloak — Identity provider with basic role mapping; OpenFGA handles fine-grained object-level permissions beyond RBAC

FAQ

Q: What is a relationship tuple? A: A tuple is a triple (user, relation, object) such as (user:alice, editor, document:readme). OpenFGA stores and queries these tuples to evaluate permissions.

Q: Can OpenFGA replace RBAC? A: Yes. RBAC is a subset of ReBAC. You can model roles as relations and add finer-grained object-level permissions on top.

Q: How does it scale? A: OpenFGA is stateless and horizontally scalable. Multiple instances share the same database, and caching reduces repeated graph traversals.

Q: Is there a hosted version? A: Auth0 offers a managed FGA service. The open-source server is fully functional for self-hosted deployments.

Sources

• https://github.com/openfga/openfga
• https://openfga.dev/docs