DEV Community

Robertino
Robertino

Posted on

Auth0 Fine Grained Authorization: Developer Community Preview Release

We are excited to announce the Developer Community Preview for Auth0 Fine Grained Authorization (FGA), our upcoming SaaS to solve authorization-at-scale for developers.


What Is Fine Grained Authorization?

Authentication is about who the user is. Authorization is about what they can do.

Historically, software applications have, in general, handled authorization in a coarse grained manner. A user has one or more roles in an application, which grants them permissions to perform certain actions across the application. This worked well for a while because users didn't create content in systems. As social and work collaboration applications become mainstream, a different kind of authorization became necessary: fine grained authorization.

An application implements fine grained authorization when it can determine a user's permission to perform actions on any object in the application, and users can create objects in the application and manage permissions to those objects.

This is "fine grained" because there is no lower limit to the granularity at which builders of the system can make authorization decisions. It is up to the builders of the system to determine how granular they want authorization to be, and up to the users of the system to determine who has specific permissions on objects.

Why Is Fine Grained Authorization Important?

Fine grained authorization is increasingly becoming a critical element in software. For example:

  • Collaboration and social features are things users expect, such as the ‘Share’ button you see in so many applications. This applies to both business-related assets, such as documents and project boards, and personal assets like pictures and home IoT devices. Specifically sharing one of these objects with another user is a Fine Grained Authorization use case.
  • Security, compliance, and privacy are musts for any software application from day 1, and authorization is a big part of solving those concerns. In fact, the TOP OWASP 2021 risk is broken access control.

However, solving authorization in an application is not a trivial matter. We believe applications solve authorization correctly if their authorization solution has the following characteristics:

  1. Reviewable: It should be easy to determine "who can access what," essentially understand the rules used to enforce access control.
  2. Easy to manage change: Authorization related changes must be explicit and traceable. Change management control for authorization is important.
  3. Auditable: It should be possible to know what happened with regards to authorization, in essence "who tried to access what, and when?".
  4. Reliable: Authorization decisions are made as part of most flows/requests, so authorization components need to always be running and returning the expected results.
  5. Fast: Authorization decisions are made as part of most flows/requests, so they need to be fast. If authorization decisions are slow, then the end-user experience is slow as a whole.

Implementing all of the above is complex, even with expertise. So we looked at how we could solve authorization for our customers, and allow them to focus on their core business. This is what led us to create Auth0 Fine Grained Authorization.

What Is Auth0 Fine Grained Authorization?

Auth0 Fine Grained Authorization (FGA) is a SaaS to solve fine grained authorization at scale for developers. It is inspired by Google Zanzibar, the system Google uses to solve authorization across all their products, such as Google Drive, Youtube, Google Cloud, and others.

Auth0 FGA does not require you to be using Auth0 already. You can use Auth0 FGA with any identity provider: your own user database (e.g. MySQL, PostgreSQL), Auth0, Okta or anything else.

Auth0 FGA centralizes your authorization. It becomes your "authorization (micro)service" if you will. It's a single place for you to define your authorization model, store your authorization data and make your authorization decisions, across all your apps and products.

Centralizing your authorization logic and decisions into a single service that has the flexibility to handle use cases across your different products gives you distinct advantages:

  • Simplify security auditing: Explicit authorization rules are easier to audit by internal and external parties.
  • Lower costs: Standardizing how authorization is done across your company makes it easier for developers to switch teams.
  • Deliver faster: You’ll be able to ship features and products faster, as the system is easily extensible to new requirements.
  • Security logging: The Auth0 FGA service generates logs for all operations out-of-the-box, both reads and writes.
  • Empower your users: Allow users to take control of granting access to their data directly in your application.
  • Fast and reliable at scale: A centralized service dedicated to fine grained authorization should scale as your business and products grow. Since Auth0 FGA specializes in fine grained authorization and nothing else, it can be particularly optimized for access control patterns and use cases, improving the latency and reliability of your authorization approach.



Auth0 FGA supports granting access at an atomic object level in any system, easily enabling collaboration between users, going far beyond typical role-based access control (RBAC). It also supports building custom roles into any system, empowering your customers to define how to manage access. Auditing capabilities provide fundamental building blocks for security and compliance teams. The more we’ve spoken to customers about it, the more we’ve learned just how many use cases it can solve for.

Auth0 FGA

Organizations like AirBNB and Carta have built Zanzibar-like systems to solve their authorization needs. We don’t think organizations should build the same authorization tooling, again and again, so we set out to build one version everyone can use. We developed Auth0 FGA as a service so you don't have to.

How Do I Get Started?

To start using Auth0 FGA you need to do three things:

  1. Define your authorization model (docs)
  2. Write authorization data from your system to Auth0 FGA (docs)
  3. Add authorization to your API by adding access control checks to your system (docs)

Note:

The Developer Community Preview is meant to help us learn how customers use the product. If you have feedback, reach out on our Community Discord.

From that point on, all authorization decisions are centralized and made by Auth0 FGA. You can think of it as your "authorization microservice."

Auth0 FGA

Read more...

Top comments (0)