Skip to content

Instantly share code, notes, and snippets.

@wiggitywhitney

wiggitywhitney/openfga-authorization.md

Created February 27, 2026 11:52
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save wiggitywhitney/fc4c46a579c8754af3ed707e3a70f632 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save wiggitywhitney/fc4c46a579c8754af3ed707e3a70f632 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
openfga-authorization.md

OpenFGA: Relationship-Based Authorization at Scale

Associated Thunder episode: OpenFGA: Relationship-Based Authorization at Scale

OpenFGA: Relationship-Based Authorization at Scale

Before OpenFGA...

  • No authorization (authz) standards
  • Lots of authz tools available
  • Role-based access control (RBAC) exists, but is coarse-grained
  • Also attribute-based access control (ABAC)

FGA = Fine Grained Authz

What is OpenFGA?

OpenFGA is a high-performance, flexible authorization engine built for developers to enable fine-grained authz at scale.

  • Can be consumed as an API and/or a library
  • Also SDKs to help with modeling

OpenFGA can't make decisions based on any attribute like ABAC can. (Update: Conditions now fully support attribute-based checks)

OpenFGA is Relationship-Based, Not Just RBAC

  • Stores relationships (not necessarily a human)
  • A user has a relationship to an object

3 Fields:

  1. User
  2. Relation
  3. Object

Ex: This org is a parent to this other org

Ex: This user is an admin in the marketing org

Ex: Whitney is a follower of Raghd

  • Could also be a set of users but always targeting a single object

How it works:

OpenFGA gets the user identity from wherever (probably a token), then calls the OpenFGA server API to discover whether the human or process is allowed to do the thing.

OpenFGA stores relationships it needs to make a decision.

Some OpenFGA Use Cases

  • Apps that enable sharing — ex: Google Drive, Miro, etc...
  • Delegating access of sensitive information — financial institutions, orgs that give access to other companies
  • Sharing nested resources at any level
  • Support engineers access only what they need for their open tickets
  • Easier to switch between teams — authz logic/skillset transfers

OpenFGA vs ABAC

OpenFGA: Stores relationships it needs to make a decision.

ABAC: Attribute-based policy engines that have to make calls to databases and perform logic about relationships to give access. This happens at the moment access is needed (check time).

OpenFGA Authorization Model

A static representation of the types of objects in your system and how they can relate to one another.

When OpenFGA receives a check request, it uses this model plus existing data to try and find a path from the user to the object being accessed.

Authorization model is immutable — can test a new model before release. Access is auditable (you can see who accessed what).

The Future

  • Modular authz model — different teams can own different pieces (Update: Now available)
  • Search with permissions — "Give me all the docs Whitney can view"
  • Standardization around authz — a common language for each service (near term and long term)

Some Benefits of OpenFGA Process

  • Relationship computation can be done before check time
  • Data gathering is no longer required at check time
  • Logic can be removed from application
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment