OpenFGA is a high performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. It incorporates powerful Relationship-Based Access Control (ReBAC) and Attribute Based Access Control (ABAC) concepts with a domain-specific language that makes it easy to craft authorization and permission solutions that can grow and evolve to any use case, at any scale.

OpenFGA was originally developed by Auth0/Okta, and donated to the Cloud Native Computing Foundation on September 14, 2022, and is currently at the Sandbox level of graduation.

It's currently being maintained by Okta and Grafana employees.

This community wants to solve authorization for everyone, regardless of the scale or complexity required for any given piece of software, and we think OpenFGA's design is the way to do it. In particular, the fine-grained authorization approach which OpenFGA incorporates is becoming an increasingly critical element of access control in software:

• Collaboration and social features are things users expect. These features range from the ‘Share’ button where users proactively grant specific permissions to a set of users for a specific resource, to ‘Request Access’ workflows that allows users to reactively grant access on demand. These features are useful both for business-related assets such as documents or project boards, as well as social sharing of personal content like photo albums, social media posts, and even IoT devices. OpenFGA makes these scenarios easy to build and govern.

• Traditional Role-Based Access Control (RBAC) solutions become difficult to administer and scale, but fine-grained approaches like OpenFGA can create authorization models that are still easy to understand and visualize for complex authorization patterns.

• Security, compliance, and privacy are mandatory problems to solve for any software application from day one, and authorization is a big part of any solution. In fact, the top risk in the OWASP Top 10 API Security Risks list is Broken Object Level Authorization.

Centralizing your authorization logic and decisions into a single service that has the flexibility to handle use cases across your different products gives you distinct advantages:

• Deliver faster: You’ll be able to ship features and products faster, as the system should be easily extensible to new requirements.
• Simplify authorization policy auditing: Explicit authorization rules are easier to audit by internal and external parties.
• Simplify access control auditing: The authorization service generates logs for all operations out-of-the-box, both reads and writes
• Lower operational costs: Having a single authorization system makes it simpler to manage.
• Simpler to switch teams: Developers can use the same authorization concepts and APIs regardless of the team they work on.

OpenFGA has high quality developer tooling, including:

• SDKs for Go, JavaScript, .NET, Python, Java.
• A CLI to operate an OpenFGA server, import/export models and tuples and test models.
• Extensions to Visual Studio Code and JetBrains IDEs with syntax coloring and validation for models and tests.
• A Helm Chart to simplify deployment in Kubernetes clusters.
• GitHub Actions for testing and deploying models through CI/CD
• A Terraform Provider to manage OpenFGA instances with code.

• Adopters: Find out who is using OpenFGA in production.
• Contributing: Read this CONTRIBUTING.md guide for an outline for interacting with the OpenFGA community and its governance structure, as well as details how to write, test, and submit code changes.
• Documentation: Read about OpenFGA at the project's website and documentation repository, https://openfga.dev.
• Community: Join the OpenFGA Community in the CNCF Slack or GitHub Discussions.
• Community Projects: We're building amazing things with OpenFGA. Check them out in our Community Projects list.