Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

hi there :slightly_smiling_face:

we are currently looking into different options to implement fine-grained authorization for our application (that currently just uses RBAC with Auth0). The most interesting options seem to be Ory, Oso and Authzed.

One of the challenges we face is deciding which data should be centralized as part of the authorization service and which should only be kept locally by the application.

Oso has <https://www.osohq.com/docs/concepts/oso-cloud-data-model#sending-context-facts-at-authorization-time|this cool feature> where you can send "facts" as part of the context of an authorization request ("Hey can this user X transfer funds from this account number Y... and btw for context: this user X is part of organization Z"). This allows for a lot of flexibility in deciding which data needs to stored in a central location and which can be kept local and only passed to the authorization service at runtime when the information is needed for a specific decision.

Question: *is something similar possible with Ory?*

P.S. our application isn't in banking but in the electronics supply chain, but I just used the last example in this channel :wink: