Additional OpenFGA API Authorization Options - Experimental

[aaguiarz]

OpenFGA currently supports pre-shared keys and OIDC for authenticating calls to the APIs. Those credentials are global, and allow performing any action in any store.

We want to provide more granularity for authorizing calls to the OpenFGA API. Some scenarios:

• Different credentials for each FGA store.
• Different credentials with different permissions per FGA store (e.g. some credentials can perform writes while others cannot).
• Different credentials with different permissions per FGA module (e.g. some credentials can perform writes on types of some modules while others cannot).
• Different credentials with different permissions for different types in the FGA store (e.g. some credentials allow writing tuples for documents and others allow writing tuples for users)

This RFC discusses different alternatives in more depth openfga/rfcs#10

[cafaray]

[Possible Typo]
Should it be:
"OpenFGA currently supports pre-shared keys and OIDC for authenticating calls to the APIs"
Current:
"OpenFGA currently supports pre-shared keys and ODIC for authenticating calls to the APIs"

[tylernix]

[Possible Typo] Should it be: "OpenFGA currently supports pre-shared keys and OIDC for authenticating calls to the APIs" Current: "OpenFGA currently supports pre-shared keys and ODIC for authenticating calls to the APIs"

Thank you @cafaray. Fixed.

[jakeyheath]

If there is any desire to have help implementing this feature, my team would love to volunteer! Not sure how far along the RFC process has progressed, but if you have guidance on how to contribute back here, please reach out.

[rhamzeh]

Hey folks - we didn't update this Roadmap item, but we have released an experimental feature for setting up Access Control in OpenFGA.

It currently requires OIDC.

The docs are here: https://openfga.dev/docs/getting-started/setup-openfga/access-control

Try it out and let us know your thoughts!