Welcome to the second Fine Grained News edition of 2025!

Just Shipped!​

• We shipped 3 minor versions of OpenFGA which include:

  • Fixes for CVE-2025-25196 and CVE-2024-56323

  • Several performance improvements that are enabled with the enable-check-optimizations experimental flag.

  • Dynamic TLS certificate reloading for HTTP and gRPC servers. Thanks Rokibul Hasan for your contribution!

  • A name filter to ListStores. The name parameter instructs the API to only include results that match that name. Thanks Karl Persson for your contribution!

  • Optimized database dialect handling by setting it during initialization instead of per-call, fixing SQL syntax errors in MySQL. Thanks Siddhant Khare for your contribution!

  • Support for Go 1.24. We follow Go's version support policy and will only support the latest two major versions of Go. Now that Go 1.24 is out, we have dropped support for Go < 1.23.

• Two minor versions of the Java SDK, with support for server-side BatchCheck. Thanks Piotr Olaszewski for your contribution!

• A minor release of the Go SDK, with support for the StartTime parameter in the ReadChanges method and support for specifying contextual tuples and context parameters in assertions.

• A minor release of the FGA CLI, with support for the start-time parameter for the changes command and importing assertions during fga store import. Thanks Sujitha A V for your contribution!

Using OpenFGA for GenAI and Retrieval Augmented Generation (RAG)​

We are seeing a lot of interest in using OpenFGA for RAG scenarios and we wanted to share a list of interesting articles and repositories that were published lately:

• RAG and Access Control: Where Do You Start?
• Building a Secure RAG with Python, LangChain, and OpenFGA
• GenAI, LangChain.js, and FGA
• Building a Permissions System For Your RAG Application
• mdb-openfga: OpenFGA + MongoDB

Learning OpenFGA​

We've been busy creating blog posts and videos that help you adopt OpenFGA, check them out!

• OpenFGA: Modeling Guide
• OpenFGA: The Basics
• OpenFGA for Python Flask Applications
• How to Implement Relationship-Based Access Control (ReBAC) in a Ruby On Rails API?
• Securing data in your Next.js app with Okta and OpenFGA
• OpenFGA for an Express + Typescript Node.js API
• OpenFGA for Spring Boot Applications

OpenFGA to CNCF Incubation​

The CNCF Technical Oversight Committee triaged OpenFGA's application to be accepted as an "Incubation" project, decided we had provided the appropriate information and references, and moved the project to the next step. We now need to wait for a TOC member to pick the project and do their due diligence.

Thanks to Canonical, Grafana, Docker, Read.AI, Agicap, Sourcegraph, Zuplo, and Stacklok for agreeing to be interviewed by the CNCF as reference adopters!

OpenFGA in London​

OpenFGA will be present in two high-profile events in London:

• Sam Bellen will participate in the Gartner IAM EMEA event demoing OpenFGA interoperability with the AuthZen standard.

• Poovamraj Thanganadar Thiagarajan from Okta will be presenting at KubeCon Europe, together with Jo Guerreiro from Grafana Labs about From Chaos To Control: Migrating Access Control To OpenFGA in a Multi-Tenant World.

• Andres Aguiar from Okta was invited to present on the Maintainer's Summit at KubeCon Europe about our experiences collaborating with the CNCF TAG-Security team: A Project Maintainers Guide To TAG Security.

See You Next Month:​

Fine Grained News is published every month. If you have any feedback, want to share your OpenFGA story, or have a noteworthy update, please let us know on any of our community channels or at [email protected].

Welcome to the first Fine Grained News edition of 2025! January is always a good month to look back at what the OpenFGA community accomplished over the past year.

Major faatures​

Below is a list of the major features that were shipped in 2024:

• Modular Models
• Java Spring Boot Integration
• JetBrains Integration
• Telemetry in OpenFGA SDKs
• ListUsers Endpoint
• Batch Check Endpoint
• Query Consistency Options
• Storage adapter for SQLite , contributed by DanCech from Grafana Labs
• Experimental Access Control for the OpenFGA server

We heavily invested in OpenFGA performance, reducing latency by 90% in several cases. We'll continue improving performance in the following months.

But that's not all!​

We are very grateful with the OpenFGA community, who helped shipping 126 releases and improvements across the board:

• OpenFGA Server: 23 releases. Thanks kalleep, DanCech,golanglemonade tranngoclam, lalalalatt, Code2Life, JAORMX, Zach-Johnson, cmmoran, 00chorch, chenrui333, le-yams, lekaf974, raj-saxena!
• Python SDK: 16 Releases. Thanks Oscmage ovindu-a, GMorris-professional, Divan009!
• Go SDK: 10 releases. Thanks le-yams, le-yams, gurleensethi, gurleensethi, wonyx, Code2Life, Kryvchun!
• Java SDK: 10 releases. Thanks le-yams, paulosuzart and Didier-SimpleCommeDev!
• JS SDK: 13 releases. Thanks sccalabr, Siddhant-K-code, vil02, Waheedsys, tmsagarofficial!
• .NET SDK: 5 releases.
• Spring Boot: 2 releases. Thanks eddumelendez and dheid!
• Helm Chart: 31 releases. Thanks jliedy, aaronschweig, bagnaram, vil02, jagregory danielloader, wenzel-felix, aballet, tamalsaha, Oscmage, rorynickolls-skyral, juusujanar, cstruck, almeynman, JAORMX!
• openfga.dev: Our website received contributions from Siddhant-K-code, tazarov, sarthak-kumar-shailendra, nimakarimi97, soura-b, asenawritescode, kwiky, lupeterm, RobertKielty, t3hmrman, mwangersjo, josxha, tbcvl, sujitha-av, jamct, lhchingit, DanCech. Thanks to everyone!
• Visual Studio Code Extension: 11 releases. Thanks solon!
• IntelliJ Plugin: 5 releases. Thanks le-yams and edlundin!

More community accomplishments​

• OpenFGA repository’s stars increased 70%, crossing the 3k mark.
• External contributors to the OpenFGA repository doubled.
• There are more than 140 repositories in Github that have ‘openfga’ in its name or description and are not maintained by the OpenFGA team.
• We onboarded Grafana Labs as a new maintainer for the OpenFGA project.
• We just launched a LinkedIn Page. We need more followers!
• There are 15 Production OpenFGA Models in different projects in Github.
• We applied to CNCF Incubation in April 2024, we are third in the line waiting for being evaluated.

Future community presentations​

Sam Bellen will present Can’t Touch This!, a talk about access control, including OpenFGA at JFokus Stockholm.

Poovamraj Thanganadar Thiagarajan from Okta will be presenting at KubeCon Europe, together with Jo Guerreiro from Grafana Labs about From Chaos To Control: Migrating Access Control To OpenFGA in a Multi-Tenant World.

Andres Aguiar from Okta was invited to present on the Maintainer’s Summit at KubeCon Europe aaout our experiences collaborating with the CNCF TAG-Security team: A Project Maintainers Guide To TAG Security.

Mark Laing from Canonical will present at FOSDEM about Fine-grained access control in LXD with OpenFGA.

See You Next Month:​

Fine Grained News is published every month. If you have any feedback, want to share your OpenFGA story, or have a noteworthy update, please let us know on any of our community channels or at [email protected].

Welcome to the November edition of Fine Grained News! As we enter the final stretch of 2024, there are exciting developments in the OpenFGA to share.

🌟 We hit 3,000 stars on the OpenFGA repo!: 🌟 Because of this great community, we've just this incredible milestone! Thank you so much for all the support you've shown this project. Let's keep the momentum going! If you haven't yet, we'd greatly appreciate you starring the repo to help push us toward 4,000 stars and grow our amazing community!

Just Shipped​

v1.8.1: This release focuses on performance and monitoring enhancements. It introduces two new flags for better control over check operations, optimizes performance for TTU relationships with set operations, and expands metrics tracking with duration measurements. Additionally, deduplication logic has been added to the BatchCheck API, along with new logging fields for authz calls. Read more in the Read more in the Changelog...

For more about the new OPENFGA_CHECK_ITERATOR_TTL and OPENFGA_CHECK_CACHE_LIMIT flags, run ./openfga run --help

Batch Check API: Introduced in v1.8.0, the BatchCheck API significantly reduces network latency by batching authorization checks in a single request. With v1.8.1, deduplication logic increasing its efficiency further. v1.8.0 also added support for Contextual Tuples in the Expand API, time-based filtering in the ReadChanges API, and additional performance improvements. Read more in the Changelog or the BatchCheck API docs.

Coming Up​

SDK Updates: We will be updating the SDKs next to take advantage of the new BatchCheck, starting with Python and JavaScript. If you want to see an SDK prioritized, let us know!

Check out our roadmap to see what we're working on. Feature requests and ideas can be shared in GitHub Discussions.

Community Highlights​

OpenFGA at KubeCon: In November, Andres Aguiar represented OpenFGA at KubeCon/CloudNativeCon. OpenFGA had a kiosk in the Project Pavilion, where Andres delivered a lightning talk and participated in The Policy Engines Showdown with other authorization solution providers. Watch the panel discussion...

Andres Aguiar representing OpenFGA at KubeCon

OpenFGA in Italy: Andrea Chiarelli presented Authorize in the Cloud with OpenFGA at Cloud Day 2024 in Milan.

Andrea Chiarelli presenting at Cloud Day 2024

OpenFGA Offsite: The team that works hard to bring you OpenFGA met in Chicago this November for a fun and productive offsite, diving deep into our vision, developer needs, and the roadmap ahead.

The OpenFGA team in Chicago

New Modeling Demos Available!: Learn how to model fine-grained authorization in OpenFGA's domain-specific language step-by-step with our new demo video series! Starting with the basics and gradually adding complexity, this playlist is your guide to mastering OpenFGA modeling.

Monthly Community Meeting: Join our in depth monthly community discussions every second Thursday at 11 AM Eastern Time (US). Check out our meeting details for more information.

November's highlights included:

• Sebastian Döll from ZEISS showcasing their Terraform/OpenFGA integration.
• Justin Cohen demonstrating the new Batch Check functionality.

Can't make it? Catch up on our latest recording or browse previous sessions on our YouTube channel.

Blogs and Videos for AuthZ Fans:

• Granting TTL based permissions in OpenFGA: Implement TTL-based permissions in OpenFGA for time-limited access control. Read more on Medium...

• Overcoming Security Challenges in Protecting Shared Generative AI Environments: Explore solutions for ensuring secure, scalable, and efficient multi-tenancy in generative AI environments. Read more on Medium...

• Fine-Grained Authorization for Backstage using OpenFGA: Learn how OpenFGA enables dynamic fine-grained authorization in Backstage through ReBAC models and seamless policy updates. See the webinar on YouTube...

New Adopters​

• Are you using OpenFGA in production? Join our growing community of adopters! Add your company to our ADOPTERS.md file with a quick PR.

• Do you offer OpenFGA implementation services? Get listed in our Implementation Services directory. Note: Listings are community-contributed and not officially endorsed by the OpenFGA project.

Announcements​

OpenFGA Ranked #5 in CNCF Project Contributions! Thanks to our amazing community, OpenFGA soared to become the 5th most active CNCF project during Hacktoberfest in October! Your contributions made this possible, and hope to continue the engagement!

Ready to join our community of contributors? We have opportunities for every skill level:

• Start with our Good First Issues for beginner-friendly tasks.
• Take on more complex challenges in our Issue queue.
• Follow our Contribution Guide to get started.

CNCF Projects Ranked by Commits during Hacktoberfest

Follow OpenFGA on LinkedIn Connect with a growing community of fine-grained authorization enthusiasts and expand your professional network by following our new OpenFGA LinkedIn page!

See You Next Month:​

Fine Grained News is published every month. If you have any feedback, want to share your OpenFGA story, or have a noteworthy update, please let us know on any of our community channels or at [email protected].

Welcome to the October edition of Fine Grained News! As we approach the end of the year, we're excited to bring you the latest updates, improvements, and community contributions shaping the future of OpenFGA.

As always, if you’re finding the OpenFGA project to be a valuable resource, we would greatly appreciate if you would star our repo on GitHub to show your support!⭐

Just Shipped​

• OpenFGA v1.7.0: In our latest release, we’ve introduced Access Control. This experimental feature allows you to control access to your OpenFGA server, and of course, we built it using OpenFGA! We’ve updated our Docs to show you how to enable this feature; please share your feedback in the GitHub Discussions!

• This month, we’ve also added documentation of our OpenFGA release process.

• We’ve improved performance for checks involving nested tuple-to-userset relations. This is commonly used when implementing nested groups. Users can enable this with the experimental flag enable-check-optimizations.

• Following last month’s launch of OpenFGA SDK support for telemetry data using OpenTelemetry, we’ve also updated our Docs to guide users through configuration to collect tracing data and metrics.

In Progress​

Batch Check API Endpoint: We’re close to releasing a new feature to enable sending multiple check operations in a single network request.

Check out our roadmap to see what’s in the works. Feature requests and ideas can be shared in GitHub Discussions.

Community Highlights​

• OpenFGA at Open Source Strategy Forum 2024: Kiah Imani presented “Role-Based Access Is So Yesterday: Revolutionizing Authorization with OpenFGA” at the OSSF 2024 earlier this month. The presentation is now available in Youtube

• OpenFGA at KubeCon: Andres Aguiar will participate in KubeCon/CloudNativeCon in November! OpenFGA will have a Kiosk in the Project Pavilion. He'll present a lightning talk on OpenFGA and participate in The Policy Engines Showdown.
  

• OpenFGA in Italy: Andrea Chiarelli will present Authorize in the Cloud with OpenFGA at Cloud Day 2024 in Milan on November 20, 2024.
  

• New Demp Flask App Added: To complement our OpenFGA examples and guides, we have published an example app demonstrating the integration of OpenFGA. This app utilizes several FGA features to provide a multi-user system for folder and text file sharing. Thanks to @ryanpq for your contribution!
  

• Monthly Community Meeting: Join us for our monthly Community Meetings, held on the second Thursday of every month at 11 AM Eastern Time (US). Our next meeting is on Thursday, November 14, 2024. Our community meetings are a great way to stay updated with the latest developments, ask questions, and engage with the OpenFGA community. If you can’t join the meetings live, our latest month's video will always be posted on our YouTube channel!

  As always, we welcome community members to demo their use cases. If you want to demo your implementation of OpenFGA, please contact any of the OpenFGA team on our community channels linked below.

New Adopters​

• This month, we welcome Gillion and Flex as OpenFGA adopters! If you or your company have implemented OpenFGA, we would love to hear about it! Please add your name as an adopter by updating the ADOPTERS.md file and sending us a PR.

• If you or your company provides implementation services for OpenFGA, we invite you to share your information with the community in our Implementation Services section of the ADOPTERS.md file by sending us a PR! However, please note that the OpenFGA project has not evaluated or endorsed the individuals and companies listed, and inclusion does not imply endorsement.

Announcements​

• Hacktoberfest Highlights: This Hacktoberfest, we welcomed 13 new contributors making their first commit to OpenFGA! Thanks to the incredible community participation, we saw a 28% increase in pull requests compared to September and a remarkable 260% increase in PRs on the SDK Generator. A huge thanks to this community for your continued participation and contributions!

• OpenFGA Community Meeting Updates: We are adding chapters to our YouTube channel videos to simplify content navigation. We’ve begun with the most recent videos and will add chapters as time goes on. We have also begun releasing demos as individual videos for easier content consumption. You can catch this month’s demos on Modular Authorization and Client-Side Caching, with Materialize Integration coming soon!

See you Next Month​

Fine Grained News is published every month. If you have any feedback, want to share your OpenFGA story, or have a noteworthy update, please let us know on any of our community channels or at [email protected].

Welcome to the September edition of Fine Grained News! As we transition into the fall season, we’re excited to bring you the latest updates on the progress of OpenFGA.

Just Shipped​

• We shipped OpenFGA v1.6.1 with performance fixes, bug fixes, and a new SQLite storage adapter contributed by Grafana. Thanks @DanCech!

• This month we released improved OpenTelemetry metrics support for .NET SDK, Go SDK, Java SDK, and JavaScript SDK.

In Progress​

• Authorization for OpenFGA: OpenFGA currently supports global pre-shared keys and OIDC for API authentication, but we’re exploring more granular authorization options, such as store-specific credentials and varying permissions for stores, modules, and types.

• Batch Check: OpenFGA SDKs currently implement BatchCheck by issuing multiple parallel request to the OpenFGA server. We'll be implementing a BatchCheck server endpoint to improve performance and reduce network overhead.

Check out our roadmap to see what’s in the works. Feature requests and ideas can be shared in GitHub Discussions.

Community Highlights​

• OpenFGA at Open Source Summit Europe: José Carlos Chávez gave a talk on RBAC with OpenFGA at OSS Europe 2024 in Vienna, Austria this month. You can see the presentation deck here.
• OpenFGA at Open Source Strategy Forum 2024: Kiah Imani will present Role-Based Access Is So Yesterday: Revolutionizing Authorization with OpenFGA at OSSF on Wednesday, October 23, 2024. In this session, attendees will learn how OpenFGA addresses the limitations of RBAC, enhancing security, performance, and access management across various systems.
• OpenFGA at KubeCon: Andres Aguiar will participate in KubeCon/CloudNativeCon in November! OpenFGA will have a Kiosk in the Project Pavilion. He'll present a lightning talk on OpenFGA and participate in The Policy Engines Showdown.
• We added new authorization model examples for multi-tenant RBAC and how to define ABAC policies using ReBAC.
• Guide to Building Auth Systems: Level Up Coding offers a comprehensive guide to building authorization systems using RBAC, ReBAC, and ABAC models. The guide covers the differences between these approaches and when to use each.
• High Marks for OpenFGA Policy Languages: Trial Of Bits published a report comparing the security of the Cedar, OPA, and OpenFGA policy languages. OpenFGA was very well evaluated!
• September Community Meeting: Check out the September Community Meeting, which is posted on YouTube! In last month’s meeting, we reviewed recent updates, demos with Envoy, an OpenFGA Kubernetes Operator, fine-grained access for OpenFGA, and reviewed the results of the 2024 Community Survey.

New Adopters​

• If you or your company have implemented OpenFGA, we would love to hear about it! Please add your name as yourself as an adopter by updating the Adopters.md file and send us a PR.
• If you or your company provides implementation services for OpenFGA, we invite you to share your information with the community in our Implementation Services section of the Adopters.md file by sending us a PR! However, please note that the listed individuals and companies have not been evaluated or endorsed by the OpenFGA project, and inclusion on the list does not imply endorsement.

Announcements​

• Hacktoberfest 2024: Hacktoberfest is a month long celebration of open source software which encourages new and experienced developers alike to contribute code to open source projects during the month of October. This makes October a great time to become an OpenFGA contributor! We have labeled a number of issues on GitHub with "Hacktoberfest" and "Good First Issue" labels making it easy to find a way to get involved and have your code included in OpenFGA.
• Monthly Community Meeting: Join us for our monthly Community Meetings, held on the second Thursday of every month at 11 AM Eastern Time (US). Our next meeting is on Thursday, October 10, 2024. Our community meetings are a great way to stay updated with the latest developments, ask questions, and engage with the OpenFGA community. If you would like to demo your implementation of OpenFGA, please reach out to us on any of our community channels or at [email protected]. You can find the link to the meeting invite here. We look forward to seeing you there!

See You Next Month!​

Fine Grained News is published every month. If you have any feedback, want to share your OpenFGA story, or have a noteworthy update, please let us know on any of our community channels or at [email protected].

Welcome to the August 2024 edition of Fine Grained News! We are excited to bring you the latest updates, features, and community highlights from OpenFGA.

Just Shipped!​

• OpenFGA v1.6.0: The latest OpenFGA release enables support for query consistency options and includes additional performance enhancements.

• Query Consistency Options in SDKs: All OpenFGA SDKs now support specifying a query consistency parameter for OpenFGA query endpoints. Make sure to update to the latest versions of the SDKs and OpenFGA to take advantage of this feature.

• Metrics Telemetry for SDKs: We already supported OpenTelemetry metrics in the Python and Javascript SDKs. We’ve just added support in the Java SDK, and the GO SDK.

Security Advisory​

We recently addressed a security issue, identified as GHSA-3f6g-m4hr-59h8, that was present in OpenFGA v1.5.7 and v1.5.8. This issue has been fixed starting v1.5.9, and we strongly recommend all users update to the latest version to ensure their systems remain secure. For more details, please refer to the security advisory on our GitHub page.

In Progress​

• Support for OpenTelemetry tracing and logging
• Performance Improvements for OpenFGA queries
• Additional OpenFGA API Authorization Options
• SQLite Storage Adapter, thanks to Grafana for the contribution!

Curious about what’s coming next for OpenFGA? Check out our roadmap to see what’s in store. We also welcome your feature requests and ideas in GitHub Discussions.

Community Highlights​

• CNCF Security TAG: This month, Andrés Aguiar presented OpenFGA to the CNCF Security Technical Advisory Group (TAG), where he discussed the project's current status and showcased various use cases. You can see the presentation deck here. It’s a great way to see how OpenFGA is being utilized and what’s on the horizon for the project.
• API Security: APISIX + OpenFGA: Check out this blog post by Kaan Kahraman on enhancing API security by integrating APISIX with OpenFGA.

Upcoming Events​

• Join Us at Open Source Summit Europe 2024: José Carlos Chávez will present at Open Source Summit Europe 2024 in Vienna, Austria on September 16, 2024! He will discuss Fine-Grained Policies: RBAC with OpenFGA. We look forward to seeing you there!
• OpenFGA at Open Source Strategy Forum 2024: Kiah Imani will present Role-Based Access Is So Yesterday: Revolutionizing Authorization with OpenFGA at OSSF on Wednesday, October 23, 2024. In this session, attendees will learn how OpenFGA addresses the limitations of RBAC, enhancing security, performance, and access management across various systems.
• We'll be participating of KubeCon / CloudNativeCon North America! OpenFGA will have a Kiosk in the Project Pavilion, we'll present a lightning talk on OpenFGA and participate in The Policy Engines Showdown.

New Adopters​

We want to welcome Patika Global Technology as an OpenFGA adopter! If you're using OpenFGA in production, we encourage you to add your company or project to our Adopters list by opening a PR. Please include a short description of your use case in your submission. If you’ve previously added your company or project to the adopter's list, we would appreciate you updating it to include a short description. Your contributions help the community, and we greatly appreciate your support!

OpenFGA Service Providers​

We’ve added a new section within the Adopters list for those offering OpenFGA implementation services. If your organization wants help adopting OpenFGA, this resource can connect you with professionals specializing in our technology. If your company provides implementation services for OpenFGA, we invite you to add your details by sending us a PR! Please note that the listed companies have not been individually evaluated or endorsed by the OpenFGA project, and inclusion on the list does not imply endorsement.

Announcements​

• OpenFGA Joins Docker-Sponsored Open Source Program: We’re excited to share that OpenFGA has been accepted into the Docker-Sponsored Open Source Program! This partnership allows us to distribute our container image more efficiently and securely, ensuring that our community can easily access and trust the latest versions of OpenFGA on Docker Hub with higher rate limits.
• 2024 Community Survey Participation: A huge thank you to everyone who participated in the 2024 Community Survey! Your insights are invaluable in helping us shape the future of OpenFGA. We truly appreciate the time and thought you put into sharing your experiences and suggestions. Remember, we always welcome feedback across our community channels — your input is what drives us forward.
• Monthly Community Meeting: Join us for our monthly Community Meetings, held on the second Thursday of every month at 11 AM Eastern Time (US). Our next meeting is on Thursday, September 12, 2024. These meetings are a fantastic opportunity to stay updated with the latest developments, ask questions, and engage with the OpenFGA community. You can find the link to the meeting invite here. We look forward to seeing you there!

See You Next Month!​

Fine Grained News is published every month. Although we have transitioned from Discord to the CNCF Slack channel, we want to continue to hear from you! Whether you have questions or feedback or just want to connect with others using OpenFGA, our community channels are the best place to do so. You can reach us at:

• CNCF Slack: Join the conversation in the #openfga channel. Please note: If you are not currently part of the CNCF Slack channel, you will need to click here to join the channel first.
• GitHub Discussions: Share your feedback, ask questions, and engage with the community on GitHub Discussions.
• Twitter: Follow us @openfga for updates and news.

Visit our community page for more details and to join these channels. We look forward to your contributions and conversations!

Welcome to the July 2024 edition of Fine Grained News! We are thrilled to bring you the latest updates, features, and community highlights from OpenFGA. This month has included releases, performance improvements, and insights shared through our community meetings and presentations.

We value your feedback and invite you to participate in our 2024 OpenFGA Community Survey. Your insights help us understand your needs better and improve our offerings. Please take a few minutes to complete the survey and let your voice be heard.

Improvements​

Latest Features

• We’ve introduced consistency options for query requests. This new, experimental, feature provides more flexibility and control over how queries are executed, enhancing the accuracy and reliability of query results. Learn more about this update.

• We’re now publishing images to ghcr.io/openfga/openfga as an alternative to DockerHub, thanks to the contribution from @JAORMX. This provides an additional option for accessing and deploying our containers. Read more.

Performance Improvements

• We've improved our Check latency up to 20X in some scenarios in OpenFGA v1.5.7 and v1.5.6.

If you have any feedback, or want to try a feature early, or are interested to learn more, please reach out!

Breaking Changes​

Several breaking changes related to the storage interface have been introduced. These changes should not impact your usage of OpenFGA unless you are implementing a custom storage adapter for OpenFGA.

In Progress​

• Additional Consistency Options for OpenFGA queries: We've just shipped the first iteration of this feature, we're working on adding support for it in more SDKs. We’ll also be working on adding a consistency token in the future.

• Telemetry for SDKs: We shipped OpenTelemetry Metrics support for Python and Javascript. We’ll be adding metrics support to the rest of the SDKs and then add support for tracing and logging. If you have feedback regarding our OpenTelemetry support, please do reach out on any of our community channels.

• We’ll keep working on Performance Improvements for Check, List Objects and List Users APIs.

• We’ll be adding additional authorization options for OpenFGA to restrict API credentials to performing specific actions in OpenFGA stores.

• We collaborated with members of the CNCF TAG-Security team for a few weeks to get it wrapped up (thanks Krishna Krishna and Eddie for your help).

Community Highlights​

• Check out July’s Community Meeting! It's a great opportunity to stay updated with the latest developments, ask questions, and engage with the OpenFGA community.

• Maria Ines Parnisari from the OpenFGA team and Evan Anderson from Stacklok presented on Implementing a Multi-Tenant, Relationship-Based Authorization Model with OpenFGA at CloudNative SecurityCon North America. If you didn’t attend the conference in June, the presentation recording is now live.

• This month, Andres Aguiar and Damian Schenkelman appeared in the Identerati Office Hours livestream for an in-depth exploration of OpenFGA. This video covers advanced topics and provides valuable insights into the capabilities and implementation of OpenFGA. Whether you're a seasoned user or new to OpenFGA, this deep dive is packed with information that will enhance your understanding and usage of the platform.

• Andres Aguiar sat down with Open at Intel host Katherine Druckman during KubeCon Europe to discuss OpenFGA. You can hear that podcast here.

New Adopters​

We’re happy to share that Bump is now an OpenFGA adopter! If you are using OpenFGA in production, please consider adding your company or project to our list. Your contribution will be greatly appreciated!

Announcements​

Join us for our monthly Community Meetings, held on the second Thursday of every month at 11am Eastern Time (US). Our next meeting is on Thursday, August 8, 2024. These meetings are a fantastic opportunity to stay updated with the latest developments, ask questions, and engage with the OpenFGA community. You can find the link to the meeting invite here. We look forward to seeing you there!

Transitioning from Discord to CNCF's Slack​

As a reminder, we transitioned out from Discord for OpenFGA and are now using the CNCF #openfga Slack channel. If you are not part of the CNCF Slack workspace, you need to join the CNCF Slack first.

See You Next Month!​

Fine Grained News is published every month. If you have any feedback, want to share your OpenFGA story, or have a noteworthy update, please let us know on any of our community channels or at [email protected].

OpenFGA query APIs now allow specifying the desired consistency of query results. By default, OpenFGA does not use a cache. However, when caching is enabled, it applies to all requests. This means that any changes in permissions won't be reflected in authorization checks during the cache TTL period.

The community expressed the need for flexibility in using the cache on a per-request basis. In response, starting with OpenFGA v1.5.7, all query APIs can accept a consistency parameter with the following values:

Name	Description
MINIMIZE_LATENCY (default)	OpenFGA will try to minimize latency (e.g. by making use of the cache)
HIGHER_CONSISTENCY	OpenFGA will try to optimize for stronger consistency (e.g. by bypassing cache)

When HIGHER_CONSISTENCY is specified, OpenFGA reads directly from the database, even when the cache is enabled.

How to use it?​

The new consistency parameter is available in OpenFGA starting v1.5.7.

The parameter is supported by all OpenFGA SDKs.

For more information on enabling the cache and best practices for specifying consistency values, refer to the documentation.

Custom database adapter implementations​

For those with a custom database adapter for a multi-region database, the behavior of the HIGHER_CONSISTENCY parameter can be defined according to your needs. With an eventually consistent database (e.g., Dynamo DB) in a multi-region setup, there will be replication lag even if the cache is bypassed. If the database supports strong reads, you can choose to perform those at an extra cost. Otherwise, you can perform an eventually consistent read without providing full consistency semantics to the caller. In some other databases where you have Read/Write replicas, you may choose to go to the Write replica when the HIGHER_CONSISTENCY preference is selected.

Future work​

Google Zanzibar features a consistency token called Zookies, returned from write operations. This token can be stored in a resource table and specified in subsequent query API calls. We are considering introducing a similar feature in future releases.

We want your feedback!​

We want to learn how you use this API and how we can improve it!

Please reach out through our community channels with any questions or feedback.

Welcome to Fine Grained News, June 2024 edition!

This is where we share what has been going on in the OpenFGA community during the last 30 days :).

What are we working on?​

• We started adding OpenTelemetry instrumentation to our SDKs. We just shipped metrics support for Python and Javascript. We'll continue with tracing and logging, and we'll be adding support for Java, Go and .NET next.

• We are close to ship a first iteration to add additional consistency options for OpenFGA.

• We are working with Krishna Kumar and Eddie Knight from the CNCF Tag-Security team on a joint security assessment for OpenFGA. We are pretty close to wrapping it up! You can follow the progress in this PR.

• We'll be working on adding authorization for OpenFGA APIs.

• We've identified a few areas where we can improve performance and we are actively working on them.

If you have any feedback, or want to try a feature early, or are interested to learn more, please reach out!

New Adopters​

We are thrilled to welcome Sourcegraph to the list of companies in our Adopters list! We are proud to be addressing their fine-grained authorization needs.

If you are using OpenFGA in production, please consider adding your company/project to the list, it will be greatly appreciated!

Community​

• Zuplo released an OpenFGA Authorization Inbound Policy that makes it super simple to add fine-grained authorization to your APIs. They are also using OpenFGA deployed globally in GCP for Zuplo itself. You can learn more about their OpenFGA integration journey in this webinar.

• Martin Besozzi built an APISIX plugin for OpenFGA. He also published a blog post about Mastering Access Control: Implementing Low-Code Authorization Based on ReBAC and Decoupling Pattern demonstrating how to use it.

• Andres Aguiar and Damian Schenkelman will do an OpenFGA Deep Dive in the July 17 episode of Identirati Office Hours.

OpenFGA @ CloudNative SecurityCon​

OpenFGA was present in CloudNative SecurityCon North America!

Maria Ines Parnisari from the OpenFGA team and Evan Anderson from Stacklok presented on Implementing a Multi-Tenant, Relationship-Based Authorization Model with OpenFGA.

We also got a last-minute kiosk to showcase OpenFGA at the event:

Thanks to everyone that stopped by!

Latest Features​

In case you missed them, here are some of the latest major features we've added to OpenFGA:

• List Users API allows you to retrieve all the users that have a specific relation with a resource.

• Modular Models makes it easy for multiple teams to collaborate on a single OpenFGA model.

• JetBrain's IDEs plugin to allow syntax coloring and validation of OpenFGA models.

• Conditional Tuples allows you to define tuples that are only valid under certain conditions

• Spring Boot Starter for OpenFGA simplifies integrating OpenFGA with Spring Security applications.

Transitioning from Discord to CNCF's Slack​

As we mentioned before, we transitioned out from Discord for OpenFGA and are now using the CNCF #openfga Slack channel. If you are not part of the CNCF Slack workspace, you need to join the CNCF Slack first.

Checkout https://openfga.dev/community for all the places to find us.

See you next month!​

Fine Grained News are published every month. If you have any feedback, want to share your OpenFGA story, or know about something that you think is worth mentioning, please let us know!

Welcome to Fine Grained News, May edition!

New Releases!​

• We shipped the a ListUsers API. ListUsers allows you to retrieve all the users that have a specific relation with a resource (e.g. all users that can view a document).

• In collaboration with Yann D'Isanto we shipped a plugin for JetBrain's IDEs to allow syntax coloring and validation of OpenFGA models. Together with the Visual Studio Code integration and the Tree sitter grammar from Matouš Dzivjak, OpenFGA has get great coverage for major IDEs and editors.

What's Next​

• We've identified a few areas where we can improve performance and we are actively working on them.
• We'll be instrumenting our SDKs to provide metrics / tracing and logging through OpenTelemetry APIs.
• We'll be adding additional consistency options for OpenFGA query APIs.
• We'll be working on adding authorization for OpenFGA APIs.

Please check the items above and let us know if you have any feedback or idea.

OpenFGA @ CloudNative SecurityCon​

OpenFGA will be present in CloudNative SecurityCon North America!

Maria Ines Parnisari from the OpenFGA team and Evan Anderson from Stacklok will be presenting on Implementing a Multi-Tenant, Relationship-Based Authorization Model with OpenFGA.

We hope to see you there!

Latest Features​

In case you missed them, here are some of the latest major features we've added to OpenFGA:

• Conditional Tuples allows you to define tuples that are only valid under certain conditions.
• Modular Models makes it easy for multiple teams to collaborate on a single OpenFGA model.
• List Users API allowing you to retrieve all the users that have a specific relation with a resource.
• Spring Boot Starter for OpenFGA simplifies integrating OpenFGA with Spring Security applications.
• JetBrain's IDEs plugin to allow syntax coloring and validation of OpenFGA models.

Transitioning from Discord to CNCF's Slack​

As we mentioned before, we transitioned out from Discord for OpenFGA and are now using the CNCF #openfga Slack channel. If you are not part of the CNCF Slack workspace, you need to join the CNCF Slack first.

Checkout https://openfga.dev/community for all the places to find us.

See you next month!​

Fine Grained News are published every month. If you have any feedback, want to share your OpenFGA story, or know about something that you think is worth mentioning, please let us know!