mario-title

TL;DR

Authentication or authorization? What is the term I need to use with my current scope of work? Do I need to authenticate the user or authorize it? Ok! I need to authenticate the user and then authorize (or the opposite).

Dictionary:

  • Authentication - is the process of verifying the identity of a user. How can we do it? As a basic scenario, when only one person knows the combination of login and password, we need to check if the combination is correct to authenticate the user.
  • Authorization - verifies the user has the right to access the resources. Can I read the file? Can I write to the file?

I would like to share how to build an authorization service.

Big Picture

I believe authentication and authorization can be separated - or treated on many different levels. When we consider the authorization for GitHub:

  • Organizations with members (multi-tenant solution),
  • Repositories with permissions (read, write, admin),
  • Different products (GitHub Actions, Copilot, GitHub Packages),
  • Based on the subscription (free, pro, team, enterprise, copilot, etc.) you need to decide about access to the resources.

The Github Model from OpenFGA Playground: github-playground

Possible Solutions

To solve difficult problems with big and complicated authorization scenarios, we can build our own ‘authorizations store’ - we can design a domain model and define the store and API. But we can also use existing solutions like:

Or use a KeyValue store like DynamoDB or CosmosDB and a simple service to deliver simple authorization data. What is simple - a flat group with the users as members is simple. A multi-tenant solution with groups inside groups is a challenging scenario.

OpenFGA

I want to focus here on the OpenFGA solution. Key points from my side are:

  • We can build easy and complex authorization scenarios
  • Based on the GitHub definition two steps before - there is detailed documentation and a sample on the OpenFGA website link
  • Your business is more complicated? Do you have time-based access? There is a solution for that - OpenFGA has a nice feature - Contextual and Time-Based Authorization

Are the OpenFGA or other Zanzibar-like solutions for you? Define your model and use the playground to check if it fits your needs. OpenFGA Playground