Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hey folks.

I would like to ask for feedback on the idea of integrating Ory Oathkeeper with the CNCF project <https://openfga.dev/|OpenFGA> (open fine-grained authorization)? I think both are great projects, and would work really well together.

Right now, Oathkeeper does not support OpenFGA. We tried using the authorizer `remote_json` . That almost works, but Oathkeeper expects the authorization service (=OpenFGA) to respond with a  `200`/`403`, but OpenFGA always responds with a `200` and the authorization decision in the body (`{"authorized": true|false}`).

It seems to me that the cleanest approach to integrating OpenFGA would be to write a custom authorizer. Would that be a PR that the Ory team would consider?

Best,
Sean

Traefik, Nginx, Envoy even Amazon API Gateway docs (<https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html>) expect 401 so OpenFGA should change this. I've asked them in their Slack channel if they will...