OpenFGA is an open-source authorization framework. Both it and its commercial counterpart, Okta FGA, are interpretations of the Zanzibar whitepaper, which describes the Relationship-Based Access Control (ReBAC) authorization model used at Google. OpenFGA allows developers to define complex application authorization policies using a declarative language.
Why Consider Alternatives to OpenFGA?
While OpenFGA offers powerful capabilities for access control, you may want to consider alternatives based on specific needs such as ease of implementation and cost of maintenance. OpenFGA requires that you to replicate data to a secondary data store, which may create more operational overhead than you want to take on. Its rigid ReBAC implementation may not map naturally to your authorization logic. These considerations determine how well a given solution meets your specific organizational constraints and development requirements.
Top Alternatives to OpenFGA
Oso Cloud
Oso Cloud provides application authorization as a service. It diverges from OpenFGA and other Zanzibar-based ReBAC implementations in two fundamental ways.
- Data Architecture: Oso Cloud is able to answer authorization questions using data directly from your application databases. You can gain all the benefits of centralizing your authorization logic - discoverability, sharing, testing - without having to build extra logic to synchronize you application data to Oso Cloud. When you’re getting started with Oso Cloud, you can focus entirely on your authorization logic. You don’t have to worry about how to get your data to it. But don’t worry - if you decide later that you want to centralize some or all of your authorization data, Oso Cloud supports that, too.
Whether you use OpenFGA or Okta FGA, you have to copy your authorization data out of your application databases to a separate store that the service uses specifically to answer authorization questions. This introduces all the extra overhead that comes with maintaining two sources of truth: initial data replication, two-phase commits, and drift detection and remediation. You’ll need to manage this from the start. - Semantic flexibility: Authorization logic in Oso Cloud is written in the Polar language. Polar is a general purpose logic language that allows you to ask authorization questions in direct terms. Fundamentally, authorization is the act of answering the question “Can User A perform action B on Entity C?” In a ReBAC model like OpenFGA, you can’t ask this question. Instead, you have to ask “Does User A have relation R with Object O?”
Likewise, OpenFGA and similar systems are only capable of expressing authorization logic in terms of relationships. While it’s possible to do this, in reality much authorization logic isn’t relational. This makes it difficult to support common use cases like global permissions and public objects in OpenFGA. Rather than simply granting an administrator edit access to all organizations or marking a document as public, you have to work around the constraints of the language to figure out how to make those rules look like relationships. In Polar, you can directly express these ideas.
Permit.io
Permit.io is an abstraction layer that rests on top of a third-party policy engine (currently either Open Policy Agent or AWS Cedar) to provide an intuitive authorization interface. It is a hybrid solution with open source components that interact with a hosted cloud service.
- Deployment model: Permit.io consists of one or more Policy Decision Points (PDPs) that you deploy on your infrastructure and a cloud service that is maintained by Permit.io. The PDPs interact with the cloud service to render authorization decisions.
- User Interface: Permit.io is the only authorization service in this comparison that provides a visual dashboard for managing permissions. This approach is accessible to more users across your organization. OpenFGA defines permissions as code, making it tailored to engineers.
- Modeling: Permit.io doesn’t define a policy language of its own. Instead, you use its UI to model your authorization logic. Permify expresses that logic using the policy engine you choose to power it.
- Data Management: Permit.io stores authorization data in a dedicated store that is hosted within your infrastructure and is available to the PDPs.
Permify
Permify is an open-source, Zanzibar-based solution similar to OpenFGA. It is the most pure open-source implementation in this evaluation.
- Deployment Model: Permify is a self-hosted solution that you deploy on your infrastructure. They provide a docker container or you can build it from the source code.
- Modeling: Both OpenFGA and Permify are ReBAC solutions inspired by Google Zanzibar. Permify provides an
attributeextension that supports attribute-based access control (ABAC) scenarios like public documents more naturally. - Data Management: Permify stores authorization data in a dedicated store that you set up within your infrastructure.
AuthZed / SpiceDB
Authzed is another Zanzibar-based authorization as a service solution. It provides managed and self-hosted implementations based on the open-source SpiceDB project.
- Deployment Model: Authzed provides both cloud and on-premises deployments. It is distributed as a docker container, in the package managers of most common Linux distributions, or as a chocolatey package on Windows.
- Modeling: Both OpenFGA and Authzed define pure Zanzibar-based ReBAC authorization models.
- Data Management: Authzed stores authorization data in a dedicated store that you deploy and manage within your infrastructure. It offers the widest database support of all the solutions evaluated here.
Feature Comparison Table
Why Choose Oso Cloud over OpenFGA?
Oso Cloud and OpenFGA are both powerful application authorization solutions. Oso Cloud provides the Polar language, which allows you to express all of your authorization logic in the most natural terms. OpenFGA is based on Google Zanzibar, and as a result requires you to express all of your authorization logic in terms of a relationship between two objects. Oso Cloud can use your application data in-place, so you don’t have to synchronize anything to an external store to start answering authorization questions. OpenFGA and Okta FGA both require you to copy authorization data to an external data store, which creates extra operational overhead for your team. Oso Cloud provides that more streamlined onboarding experience of the two. Because it always allows you to express your authorization logic in the terms that best fit your mental model, it is also the easier solution to maintain over time.
Conclusion
OpenFGA is a powerful solution for application authorization. But you may find that other options better meet your needs. If you’re already using a policy engine like OPA or AWS Cedar, or if you want to make it easier for business users to manage authorization logic, then Permit.io is a great choice. If open-source is a priority, then take a look at Permify. If you want support for a wide variety of databases, then look at authzed.
For all their strengths, all of the above solutions introduce friction into the developer experience. Whether they force you into an unnatural mental model, require a data replication mechanism, or simply lack dedicated, reliable support, you may find that while they meet your authorization requirements, they fall short of your organizational needs.
Oso Cloud has been built from the start to provide an exceptional developer experience. It allows you to model your logic in the terms you already use to think about it. It lets you keep your data in one place, simplifying your code and your infrastructure. This creates a simple path to adoption while supporting the most sophisticated application requirements. Oso provides comprehensive testing and diagnostic features as well as an unmatched support experience to make sure you get to production with confidence.
Ready to give Oso Cloud a try? Head over to our Quickstart to get up and running in a few minutes! Still have questions? Reach out to us on Slack. We’d love to talk authorization with you.
