Best practice for performing permissions checks in the gateway

[couling]

I'm looking for any best-practice or otherwise actual experience on putting permissions checks into the [HTTP/gRPC] Gateway such as Envoy.

Envoy itself supports external authorization but there needs to be something to map the request (URL/Body/Auth token) into a permissions check request against OpenFGA.

I can see this project seems to be focussed on that but is still a work in progress and so will not be ready for our needs. This leaves me with too many options and none of them immediately grab me as "the right one".

Does anyone have any experience doing this or reccomendations?

Possible options (others welcome):

• Add OPA-Envoy and dial out from there with http.send
• Build our own middleware to do the mapping - might be difficult to maintain as APIs change.
• Build an extension to OpenFGA
• others?

[aaguiarz]

Hi @couling

Were you able to make any progress? Did you give https://github.com/openfga/openfga-envoy a try?

[couling]

We have nothing in production yet but we are now pressing ahead with OpeFGA with a view to productionising it in the very near future.

We won't be putting Auth checks in the gateway yet as we haven't been able to stabalize an aproach. But we have worked through a couple of POCs as mini "innovation" projects, so there is some movement there.

To Rephrase the problem

We'd like to move authorization out of the code for our services and and put it somewhere that's much easier to maintain than burried in the weeds of the applicaiton code.

This leaves us with two questions:

• Where do we put configuration/code to map "If this request, then check that permission".
• How to link the gateway (Envoy) to OpenFGA

We've experimented with:

Envoy --> OPA-Envoy --> OpenFGA, Envoy --> service

As a POC this was quite promising. It does add an extra middleware to run, and thus one extra component to fail. OPA-Envoy is relativly well stabalized and supports JWT with caching JWKS support almost out of the box. What was nice here was that I was able to come up with an easy pattern for wiring policies into the gateay or Envoy sidecar using little more than stock docker images and K8s config maps.

I was able to create a Rego library (OPA's own language) to extract, verify a JWT before unboxing the claims. And another providing a function to talk to OpenFGA over REST. This then made it really easy to write Rego policies per serivce to map the requests to permissions checks and allow / deny.

Envoy / Lua (gateway)

I have less details on this. But I'm led to believe the result was similar to the OPA one.

Envoy --> Custom Middleware --> Service

We're expecting to use this to be our first production ready approach, including for protecting OpenFGA itself. It lets us make a few other changes like subtally change the API and adding an API for tagging models.

But this is a lot of dev /test time.