Comment by mooreds
6 hours ago
I posted this because using an authorization server like OpenFGA creates a real issue: syncing authorization related data.
There's identity data that needs to be synced (from an identity provider). This seemed like a cool open source solution for that. It's not enough, of course.
You also need to sync data between your application/domain and the authorization server to have accurate authorization decisions. But other than using the authorization server's SDK, I don't think there's a general solution to that problem.
Disclaimers: I have not used this software. I don't know if it is maintained. I also work for a company that has competitive offerings for both Keycloak and OpenFGA.
Actually, you don't _need_ to sync data, you can send it contextually too https://openfga.dev/docs/interacting/contextual-tuples.
Of course, if you end up sending all data contextually, you are better suited with a different solution that does not require a server roundtrip like Cedar.
This repo compares differences between the OpenFGA approach and the Cedar approach https://github.com/openfga/openfga-cedar-comparison
In your view why is using the AuthZ server SDK not a good solution - or maybe other way around, what would be a more general solution?
I was more musing than anything else. I don't think application data is standardized enough to use a more general solution. This is true across all AuthZ servers; it's not an OpenFGA problem.
Maybe there's a mapping layer that is possible (similar to ETL) that moves it out of code into configuration? But I'm not sure.