OpenFGA query APIs now allow specifying the desired consistency of query results. By default, OpenFGA does not use a cache. However, when caching is enabled, it applies to all requests. This means that any changes in permissions won't be reflected in authorization checks during the cache TTL period.

The community expressed the need for flexibility in using the cache on a per-request basis. In response, starting with OpenFGA v1.5.7, all query APIs can accept a consistency parameter with the following values:

Name	Description
MINIMIZE_LATENCY (default)	OpenFGA will try to minimize latency (e.g. by making use of the cache)
HIGHER_CONSISTENCY	OpenFGA will try to optimize for stronger consistency (e.g. by bypassing cache)

When HIGHER_CONSISTENCY is specified, OpenFGA reads directly from the database, even when the cache is enabled.

How to use it?​

The new consistency parameter is available in OpenFGA starting v1.5.7.

The parameter is supported by all OpenFGA SDKs.

For more information on enabling the cache and best practices for specifying consistency values, refer to the documentation.

Custom database adapter implementations​

For those with a custom database adapter for a multi-region database, the behavior of the HIGHER_CONSISTENCY parameter can be defined according to your needs. With an eventually consistent database (e.g., Dynamo DB) in a multi-region setup, there will be replication lag even if the cache is bypassed. If the database supports strong reads, you can choose to perform those at an extra cost. Otherwise, you can perform an eventually consistent read without providing full consistency semantics to the caller. In some other databases where you have Read/Write replicas, you may choose to go to the Write replica when the HIGHER_CONSISTENCY preference is selected.

Future work​

Google Zanzibar features a consistency token called Zookies, returned from write operations. This token can be stored in a resource table and specified in subsequent query API calls. We are considering introducing a similar feature in future releases.

We want your feedback!​

We want to learn how you use this API and how we can improve it!

Please reach out through our community channels with any questions or feedback.

Welcome to Fine-Grained News, June 2024 edition!

This is where we share what has been going on in the OpenFGA community during the last 30 days :).

What are we working on?​

• We started adding OpenTelemetry instrumentation to our SDKs. We just shipped metrics support for Python and Javascript. We'll continue with tracing and logging, and we'll be adding support for Java, Go and .NET next.

• We are close to ship a first iteration to add additional consistency options for OpenFGA.

• We are working with Krishna Kumar and Eddie Knight from the CNCF Tag-Security team on a joint security assessment for OpenFGA. We are pretty close to wrapping it up! You can follow the progress in this PR.

• We'll be working on adding authorization for OpenFGA APIs.

• We've identified a few areas where we can improve performance and we are actively working on them.

If you have any feedback, or want to try a feature early, or are interested to learn more, please reach out!

New Adopters​

We are thrilled to welcome Sourcegraph to the list of companies in our Adopters list! We are proud to be addressing their fine-grained authorization needs.

If you are using OpenFGA in production, please consider adding your company/project to the list, it will be greatly appreciated!

Community​

• Zuplo released an OpenFGA Authorization Inbound Policy that makes it super simple to add fine-grained authorization to your APIs. They are also using OpenFGA deployed globally in GCP for Zuplo itself. You can learn more about their OpenFGA integration journey in this webinar.

• Martin Besozzi built an APISIX plugin for OpenFGA. He also published a blog post about Mastering Access Control: Implementing Low-Code Authorization Based on ReBAC and Decoupling Pattern demonstrating how to use it.

• Andres Aguiar and Damian Schenkelman will do an OpenFGA Deep Dive in the July 17 episode of Identirati Office Hours.

OpenFGA @ CloudNative SecurityCon​

OpenFGA was present in CloudNative SecurityCon North America!

Maria Ines Parnisari from the OpenFGA team and Evan Anderson from Stacklok presented on Implementing a Multi-Tenant, Relationship-Based Authorization Model with OpenFGA.

We also got a last-minute kiosk to showcase OpenFGA at the event:

Thanks to everyone that stopped by!

Latest Features​

In case you missed them, here are some of the latest major features we've added to OpenFGA:

• List Users API allows you to retrieve all the users that have a specific relation with a resource.

• Modular Models makes it easy for multiple teams to collaborate on a single OpenFGA model.

• JetBrain's IDEs plugin to allow syntax coloring and validation of OpenFGA models.

• Conditional Tuples allows you to define tuples that are only valid under certain conditions

• Spring Boot Starter for OpenFGA simplifies integrating OpenFGA with Spring Security applications.

Transitioning from Discord to CNCF's Slack​

As we mentioned before, we transitioned out from Discord for OpenFGA and are now using the CNCF #openfga Slack channel. If you are not part of the CNCF Slack workspace, you need to join the CNCF Slack first.

Checkout https://openfga.dev/community for all the places to find us.

See you next month!​

Fine-Grained News are published every month. If you have any feedback, want to share your OpenFGA story, or know about something that you think is worth mentioning, please let us know!

Welcome to Fine-Grained News, May edition!

New Releases!​

• We shipped the a ListUsers API. ListUsers allows you to retrieve all the users that have a specific relation with a resource (e.g. all users that can view a document).

• In collaboration with Yann D'Isanto we shipped a plugin for JetBrain's IDEs to allow syntax coloring and validation of OpenFGA models. Together with the Visual Studio Code integration and the Tree sitter grammar from Matouš Dzivjak, OpenFGA has get great coverage for major IDEs and editors.

What's Next​

• We've identified a few areas where we can improve performance and we are actively working on them.
• We'll be instrumenting our SDKs to provide metrics / tracing and logging through OpenTelemetry APIs.
• We'll be adding additional consistency options for OpenFGA query APIs.
• We'll be working on adding authorization for OpenFGA APIs.

Please check the items above and let us know if you have any feedback or idea.

OpenFGA @ CloudNative SecurityCon​

OpenFGA will be present in CloudNative SecurityCon North America!

Maria Ines Parnisari from the OpenFGA team and Evan Anderson from Stacklok will be presenting on Implementing a Multi-Tenant, Relationship-Based Authorization Model with OpenFGA.

We hope to see you there!

Latest Features​

In case you missed them, here are some of the latest major features we've added to OpenFGA:

• Conditional Tuples allows you to define tuples that are only valid under certain conditions.
• Modular Models makes it easy for multiple teams to collaborate on a single OpenFGA model.
• List Users API allowing you to retrieve all the users that have a specific relation with a resource.
• Spring Boot Starter for OpenFGA simplifies integrating OpenFGA with Spring Security applications.
• JetBrain's IDEs plugin to allow syntax coloring and validation of OpenFGA models.

Transitioning from Discord to CNCF's Slack​

As we mentioned before, we transitioned out from Discord for OpenFGA and are now using the CNCF #openfga Slack channel. If you are not part of the CNCF Slack workspace, you need to join the CNCF Slack first.

Checkout https://openfga.dev/community for all the places to find us.

See you next month!​

Fine-Grained News are published every month. If you have any feedback, want to share your OpenFGA story, or know about something that you think is worth mentioning, please let us know!

Today we are launching a new API for OpenFGA: ListUsers.

This API will answer the question "what users have relation X with object Y?". This will be useful, for example, in UIs that want to display the list of users that a resource has been shared with, e.g. the "share" dialog in Google Docs.

You can read more about it in the API docs and the product documentation.

How to use it?​

ListUsers is available in OpenFGA starting with v1.5.4.

To be able to call this API, you must turn on this flag on the server: --experimentals enable-list-users. Be sure to also check out the various configuration flags that were added to control its behavior.

The new functionality is available on the latest versions of the Java, .NET, Go and Javascript SDK, CLI and VS Code integration.

We'll be releasing support for the Python SDK soon.

We want your feedback!​

We want to learn how you use this API and how we can improve it!

Please reach out through our community channels with any questions or feedback.

Welcome to Fine-Grained News, April edition!

New Releases!​

• Modular Models is now part of the OpenFGA core, making it easy for multiple teams to collaborate on a single OpenFGA model. Check it out, we love the feature! :)

• Thanks to the help provided by the Spring Security team there's now a Spring Boot Starter for OpenFGA!

• We shipped an OpenFGA Release Candidate with a new ListUsers API, that can be enabled with an experimental flag. ListUsers allows you to retrieve all the users that have a specific relation with a resource, for example, all users that can view a document.

OpenFGA Hackathon​

A few weeks ago we hosted a Hackathon where multiple team members experimented new ideas around OpenFGA. You'll need to wait until the next community meeting to learn more :).

OpenFGA Security Assessment​

We are working with the CNCF Tag-Security team on a joint security assessment, which is a step required to get accepted as a CNCF Incubation project.

What's Next​

• In collaboration with Yann D'Isanto we are building a plugin for JetBrain's IDEs to allow syntax coloring and validation of OpenFGA models. Together with the Visual Studio Code integration and the Tree sitter grammar from Matouš Dzivjak OpenFGA will get great coverage for major IDEs and editors.

• We'll be instrumenting our SDKs to provide metrics / tracing and logging through OpenTelemetry APIs.

• We'll be adding additional consistency options for OpenFGA query APIs.

• We'll be working on adding authorization for OpenFGA APIs.

Please check the items above and let us know if you have any feedback or idea.

Transitioning from Discord to CNCF's Slack​

As we mentioned in the last edition, we transitioned out from Discord for OpenFGA and are now using the CNCF #openfga Slack channel. If you are not part of the CNCF Slack workspace, you need to join the CNCF Slack first.

See you next month!​

Fine-Grained News are published every month. If you have any feedback, want to share your OpenFGA story, or know about something that you think is worth mentioning, please let us know!

Modular models aims to improve the model authoring experience when multiple teams are maintaining a model, such as:

• A model can grow large and difficult to understand
• As more teams begin to contribute to a model, the ownership boundaries may not be clear and code review processes might not scale

With modular models, a single model can be separated across multiple files allow grouping of types and conditions into modules. This means that a model can be organized more easily in terms of team or organizational structure. Used in conjunction with features such as GitHub, GitLab or Gitea's code owners, it should become easier to ensure the owners of a portion of your model are correctly assigned to review it.

How to use it?​

Modular models is available in the latest version of OpenFGA. To use it you need to:

• Update to the v0.3.0 release of the CLI
• Update to v0.2.21 of the VS Code Extension
• Download v1.5.3 of OpenFGA
• Check out the modular models sample store in the sample-stores repo
• Review the documentation for this feature
• Check a demo video in Youtube

What's next?​

Looking beyond the near term, modular models allows us to implement additional API authorization options for OpenFGA.

Reach out!​

We want to learn how you use this feature and how we can improve it!

Please reach out through our community channels with any questions or feedback.

Welcome to Fine-Grained News, KubeCon Edition!

KubeCon Europe 2024 was super-busy!​

You can now watch online:

• An AppDeveloperCon session about Implementing Modern Cloud Native Authorization Using OpenFGA where Pauline Jamin and Andres Aguiar go over how OpenFGA is helping Agicap to implement fine-grained authorization.

• A 7-min Lightning Talk about OpenFGA: The Cloud Native way to implement Fine-Grained Authorization.

• Jonathan Whitaker's talk about Federated IAM for Kubernetes with OpenFGA, demoing how to use OpenFGA and KeyCloak to implement fine-grained authorization in a Kubernetes cluster, in ways it's not possible today, like giving access to a user for 90 seconds.

• We also participated in Canonical's Operator Day sharing how Canonical is using OpenFGA, but the presentation is not online yet.

Also, thanks to everyone who stopped by the OpenFGA Kiosk in the Project Pavilion to share their feedback about the project or learn more about it!

CNCF incubation​

As you may know, the CNCF has three stages for projects: Sandbox, Incubation, and Graduation. OpenFGA is currently a Sandbox project.

We are very happy to announce that we just applied for Incubation! We are excited about this step and will keep you posted on the progress.

New Adopters​

The OpenFGA community maintains a list of products/projects/companies that are using OpenFGA in production. We'd like to thank thank the following adopters for adding themselves to the list in the last month:

• Instill AI
• Zuplo
• OpenObserve
• Datum

If you are using OpenFGA in production, please consider adding your company/project to the list.

Community News​

• Raghd Hamzeh represented OpenFGA in an episode on Authorizing Access within a series called "You Choose - Choose Your Own Adventure: The Treacherous Trek to Security”. This episode was comparing OpenFGA with Hexa and Paralus. OpenFGA was the project viewers voted for as most interested in being featured in a demo.

• Sam Bellen published a Google Drive example using OpenFGA. It's a Next.js project, written in TypeScript and ready to deploy on Vercel.

• Philipp Wagner is working on a .NET example inspired by the Github model.

• Pauline Jamin and Geoffroy Braun will present about Infuser du métier dans les autorisations avec ReBAC at Devoxx France 2024 in April 17th.

New Releases​

We just shipped a release candidate of Modular Models, that makes it easy for multiple teams to collaborate in a single OpenFGA model. It requires the following components:

• OpenFGA v.1.5.1
• CLI v0.3.0
• Visual Studio Code Extension v0.2.20

We also shipped new version of our SDKs with several fixes:

• Javascript SDK 0.3.5.
• Go SDK v0.3.5
• Java SDK v0.4.0

Transitioning from Discord to CNCF's Slack​

As we mentioned in the last edition, we transitioned out from Discord for OpenFGA and are now using the CNCF #openfga Slack channel. If you are not part of the CNCF Slack workspace, you need to join the CNCF Slack first.

See you next month!​

Fine-Grained News are published every month. If you have any feedback, want to share your OpenFGA story, or know about something that you think is worth mentioning, please let us know!

Welcome to the 3rd edition of Fine-Grained News!

KubeCon Europe 2024 is getting closer!​

We'll be pretty busy during KubeCon Europe 2024:

• Jonathan Whitaker from Okta will talk about Federated IAM for Kubernetes with OpenFGA

• Pauline Jamin from Agicap and Andres Aguiar from Okta will present on Implementing Modern Cloud Native Authorization Using OpenFGA

• OpenFGA will be present in Canonical's Operator's day, co-located at KubeCon EU. Andres Aguiar and Massimilano Gori from Canonical, will talk about how Canonical adopted OpenFGA for implementing authorization in Juju.

• Andres Aguiar will also be delivering a Lightning Talk titled OpenFGA - The Cloud Native way to implement Fine-Grained Authorization (link not available yet :) ).

We'll also have a kiosk in the CNCF Project Pavilion, so if you plan to attend let us know and we can schedule some time together!

Documentation Improvements​

We keep improving our documentation, and added a few new documents that you might find interesting:

• Learn how to use the FGA CLI to perform every possible operation on OpenFGA and simplify most common workflows.

• Learn how you can test FGA models as part of your development flow or CI/CD pipelines, without the need to run an OpenFGA server.

• Learn how you can include identity token claims contextual tuples to model ABAC-like scenarios or simplify data integrations with OpenFGA.

OpenFGA in the Java Ecosystem​

OpenFGA is getting bigger on the Java world! We are working with the Spring Security team to build an Spring Security integration for OpenFGA. You can check the ideas we are exploring in this repository.

Also, the Testcontainers team added an OpenFGA integration for Java to make it simple to write integration tests for applications using OpenFGA.

We'd love to hear your feedback!

SDK Improvements​

New releases with bug fixes and improvements:

• Javascript SDK 0.3.3.
• Go SDK v0.3.5
• Python SDK v0.4.1

Modular Models​

We wrapped up the RFC for Modular Models, which will enable multiple teams to work on different parts of the model independently and we are now working on the implementation. We'd love feedback on the RFC.

Wait for a demo on our next Community Meeting!

Community News​

• Learn how stacklok is using OpenFGA to implement authorization in Minder, an open source project that makes it easier to apply and automate the enforcement of security checks and policies across multiple GitHub repositories.

• Check this OpenFGA tutorial by Alberto Coronado (in Spanish!).

• Raghd Hamzeh joined Whitney Lee in an in-depth Tanzu ⚡️Enlightning session about OpenFGA.

Transitioning from Discord to CNCF's Slack​

As you may know, we've been using Discord for the OpenFGA community. We’ll transition it to the CNCF OpenFGA Slack channel. If you are not part of the CNCF Slack workspace, you need to join the CNCF Slack first.

See you next month!​

Fine-Grained News are published every month, after the OpenFGA community meeting. If you have any feedback, you want to share your OpenFGA story, or know about something that you think is worth mentioning, please let us know!

Welcome to the 2nd edition of Fine-Grained News!

Team News​

The OpenFGA team got bigger, and we met in person in Toronto for the first time! We got to know each other better, helped new team members to get familiar with the project, hacked some code, had some fun with ax throwing, and loved Toronto's weather!

KubeCon Europe 2024!​

We got two presentations accepted in KubeCon Europe!

• Jonathan Whitaker from Okta will talk about Federated IAM for Kubernetes with OpenFGA

• Pauline Jamin from Agicap and Andres Aguiar from Okta will present on Implementing Modern Cloud Native Authorization Using OpenFGA

We'll also have a Project Kiosk, so if you plan to attend let us know and we can schedule some time together!

OpenFGA ⚡️Enlightning Session!​

Our own Raghd Hamzeh will join Whitney Lee in a Tanzu ⚡️Enlightning session on February 8th at 9am PT.

Join their Youtube stream here.

Visual Studio Code Integration Enhancements​

We keep investing in improving our VS Code experience. The video below shows how, in addition to validating the model, we can validate the tuple content and the tests.

We are identifying:

• Invalid object types, user types, and relations when defining tuples.
• Invalid object types, user types, and relations when defining tests.
• User id or object id that was not included in any tuple in check tests.

This helps authoring/testing models, making the whole process less error prone and more fun!

CLI improvements​

We love the FGA CLI and we keep making it even better.

We had a few of contributions from new team members and the community :).

• You can now import tuples from a CSV file. We supported JSON/YAML, but if you are exporting data from a database, producing to CSV is way simpler.
• You can take a .fga.yaml file with a model and tuples, and get it imported in OpenFGA.
• Added support for specifying an external tuple_file in .fga.yaml files.
• Added support for specifying a continuation_token when calling fga tuple changes.
• Support for configuring OAuth scopes to authenticate to OIDC servers.

Check the updated documentation in our CLI repository

Thanks to Yann D'Isanto for all your help on this!

OpenFGA v1.4.3​

We just shipped OpenFGA v1.4.3, with performance improvements and one security issue fixed. We recommend everyone to upgrade to the latest release.

SDK Improvements​

New releases with bug fixes and improvements:

• Java SDK v0.3.2. If you are using the Java SDK please upgrade to this version.
• Go SDK v0.3.4
• Python SDK v0.4.0, which has breaking changes.

Thanks again to Yann D'Isanto for your help on the Java SDK!

Language Improvements​

The DSL language now has better support for comments and mixed operator support, where you can use parentheses to group expressions when defining relations:

It's available in the VS Code extension, the CLI and the Playground.

Github Actions​

We shipped a couple of Github Actions that help you deploy FGA models, and run model tests as part of your CI/CD build. Find them here.

What's Next? Check our RFCs!​

We've been discussing with the OpenFGA community a couple of RFCs that we are planning to implement in the next few weeks:

• Support for modular models.
• ListUsers API.

Please take a look at them and let us know what you think!

OpenFGA Community​

We have a very welcoming community, and we'd love to have you there! You can join us in different ways:

• Join our community meetings, the second Thursday of every month. All the recordings are here.
• Stay up to date by following us on X.
• Join our community channels in Slack or GitHub.

See you next month!​

Fine-Grained News are published every month, after the OpenFGA community meeting. If you have any feedback, you want to share your OpenFGA story, or know about something that you think is worth mentioning, please let us know!

Hi Everyone!

We've been publishing a monthly internal newsletter we called Fine-Grained News since the beginning on 2023, and we just thought it would be a good idea to share it with the community. Yeah, we are slow thinkers!

You can expect to find here a summary of what we've been up to, what we are planning to do, and some other random stuff we think you might find interesting.

Team News​

We always start our Monthly Community Meetings presenting the team. If you attended the last one, you've seen that the size of the team has grown quite a bit! We are pretty excited about the impact it will have in OpenFGA and the authorization space in general.

Behavior Driven Development with OpenFGA​

In our last Community Meeting, the Agicap team (Pauline and Yann) demoed how they are using OpenFGA to implement Behavior Driven Development (BDD) in their authorization system.

The screenshot below might be enough to understand what they are doing, but if you want to know more, you can watch the full presentation here.

GoDaddy & OpenFGA​

GoDaddy has been working with OpenFGA for a few months. They just published a document explaining why they picked OpenFGA, and how they used to address the authorization challenges they were facing.

Some interesting tidbits:

• They implemented their own DynamoDB Storage Adapter, as they were heavy Dynamo DB users and liked the eventual consistency model it provided.
• They needed Contextual Tuples to fully support their use case.

Read the full article here.

Canonical & OpenFGA​

Canonical has also been working with OpenFGA for a while, and it's adding OpenFGA to different layers in their stack.

They just announced that OpenFGA support is included in LXD and MicroCloud.

Pretty soon, if you are using Ubuntu Pro, you will be using OpenFGA :).

OpenFGA v1.4!​

Last week we released OpenFGA v1.4! This release includes our support for Conditional Relationship Tuples, which helps implementing additional Attribute-Based Access Control scenarios like temporal access, IP based access, bank transfer limits, SaaS application plans, and much more!

You can read more about it here.

SDK Improvements​

• The Java SDK has now feature parity with the rest of the our SDKs. It can be used from any language for the Java VM. You can see examples on Kotlin, Groovy and Scala here.

• The Python SDK was updated to support synchronous clients, support custom SSL certificates, and better performance in batch checks.

Language Improvements​

We've been working on the OpenFGA language with some long-due improvements. Soon, you'll be able to use parentheses to group expressions when defining relations:

The syntax is still not supported in the FGA CLI, but we are pretty close. Daniel demoed it in our latest community meeting, you can see the full demo here.

VS Code Extension Improvements​

We have also been improving tuple validation when writing fga.yaml files, and it's pretty cool! Works on Daniel's machine for now :).

Daniel also demoed it in our latest community meeting, watch it here.

KubeCon EU 2024​

We are getting ready for KubeCon Europe 2024, in Paris. We'll have a Project Kiosk, and we have submitted a few talks. We'll keep you posted!

OpenFGA Community​

We have a very welcoming community, and we'd love to have you there! You can join us in different ways:

• Join our community meetings, the second Thursday of every month. All the recordings are here.
• Join our community channels in Slack or GitHub.
• Stay up to date by following us on X.
• Ask questions, submit ideas, or just say hi in our GitHub Discussions.

See you next month!​

We'll keep publishing our Fine-Grained News each month, after the OpenFGA community meeting. If you have any feedback, you want to share your OpenFGA story, or know about something that you think is worth mentioning, please let us know!