{ "@context": [ "https://www.w3.org/ns/credentials/v2" ], "type": [ "VerifiableCredential", "BlogPostCredential" ], "id": "urn:uuid:7822b36e-962f-460a-8c69-b8516aaf6481", "issuer": "did:webvh:QmTVQnV3qGxWzWmnmWJAy1zkYswgbUmE95K5qodmAizVfr:mjendza.net", "validFrom": "2026-03-15T13:35:32Z", "credentialSubject": { "title": "Play with Authorization", "author": "Mateusz Jendza", "body": "![mario-title](/images/authorization/mario.jpg)\r\n\r\n## TL;DR\r\nAuthentication or authorization? What is the term I need to use with my current scope of work? Do I need to authenticate the user or authorize it? Ok! I need to authenticate the user and then authorize (or the opposite).\r\n\r\nDictionary:\r\n- Authentication - is the process of verifying the identity of a user. How can we do it? As a basic scenario, when only one person knows the combination of login and password, we need to check if the combination is correct to authenticate the user. \r\n- Authorization - verifies the user has the right to access the resources. Can I read the file? Can I write to the file? \r\n\r\n## I would like to share how to build an authorization service.\r\n\r\n## Big Picture\r\nI believe authentication and authorization can be separated - or treated on many different levels. When we consider the authorization for GitHub:\r\n- Organizations with members (multi-tenant solution),\r\n- Repositories with permissions (read, write, admin),\r\n- Different products (GitHub Actions, Copilot, GitHub Packages),\r\n- Based on the subscription (free, pro, team, enterprise, copilot, etc.) you need to decide about access to the resources.\r\n\r\nThe Github Model from OpenFGA Playground:\r\n![github-playground](/images/authorization/github.jpg)\r\n\r\n## Possible Solutions\r\nTo solve difficult problems with big and complicated authorization scenarios, we can build our own 'authorizations store' - we can design a domain model and define the store and API. But we can also use existing solutions like:\r\n- [OpenFGA](https://openfga.dev)\r\n- [Permify](https://permify.co)\r\n- [SpiceDB](https://authzed.com/spicedb)\r\n\r\nOr use a KeyValue store like DynamoDB or CosmosDB and a simple service to deliver simple authorization data. What is simple - a flat group with the users as members is simple. A multi-tenant solution with groups inside groups is a challenging scenario.\r\n\r\n## OpenFGA\r\nI want to focus here on the OpenFGA solution. Key points from my side are:\r\n- We can build easy and complex authorization scenarios\r\n- Based on the GitHub definition two steps before - there is detailed documentation and a sample on the OpenFGA website [link](https://openfga.dev/docs/modeling/advanced/github)\r\n- Your business is more complicated? Do you have time-based access? There is a solution for that - OpenFGA has a nice feature - [Contextual and Time-Based Authorization](https://openfga.dev/docs/modeling/contextual-time-based-authorization)\r\n\r\n\r\nAre the OpenFGA or other Zanzibar-like solutions for you? Define your model and use the playground to check if it fits your needs. [OpenFGA Playground](https://play.fga.dev/sandbox/?store=github)", "datePublished": "2024-02-27", "url": "/post/authorization", "description": "Play with Authorization", "tags": [ "Authorization", "Security" ] }, "proof": { "type": "DataIntegrityProof", "cryptosuite": "eddsa-jcs-2022", "verificationMethod": "did:key:z6MksoqpqENZmzzA4nhCPkfcbWtRHVegGV38Yqu2arRc5Er2#z6MksoqpqENZmzzA4nhCPkfcbWtRHVegGV38Yqu2arRc5Er2", "created": "2026-03-15T13:35:32Z", "proofPurpose": "assertionMethod", "proofValue": "z4LZJqtcJXNN7PPZWJixKFmA1Nni1G2HaWKjkShDpmgvU6xhUek2DjMrWc54gYfyZhDhGaSkdZAaK8B8pGU5TCarr" } }