Authorization and Authentication Flows in Production Scenario

Firstly, If in case the Authorization Model changes in the near future based on few requirement update, then the challenge which I could see here is, the RELATION gets removed/updated/added and hence the the Relationship Tuples may set Invalid in this case?

Secondly, Is there a way to create REALTIONSHIP TUPLES automatically using the concept of Authorisation Model BUT being sure that the Identities and objects are present to the Authorisation System. Trying to compare the real time use case of Google Drive Concept.

Thirdly, any articles relating to the Data in flow from an Authentication to Authorisation using OpenFGA?


Let me refer to OpenFGA as I had a chance to work with it more closely.
I will try to make my answer as concise as possible but if anything is not clear, please let me know.

Let’s start with authentication.

In my scenario, the Identity Provider used in the solution was Azure Active Directory B2C. It was used to authenticate users.
Each user, once account is created, has unique identifier on the Azure AD B2C side, called “ObjectID”.

Now when it comes to authorization.

To build authorization system, OpenFGA was used. First of all - it is important to understand that authorization model can be either deleted or added. It means that if you have new requirements and you have to modify authorization model, you will have to create the new one and you will get new authorization model ID:

Then you create tuples using specific authorization model (you have to provide the authorization model ID):

Tuples creation and deletion can be automated but this is your task to organize such approach. You asked about automatic relationship tuples. You could implement such approach but you have to specify unique identifier for each user and object. In my scenario I got user identifier from the Azure AD B2C. Objects identifiers were generated during their creation.
Let me put an example:
There is a solution with web application which is secured by Azure AD B2C (or other identity provider). Now once you (as a user) are authenticated, the ID Token (and optionally Access Token) is passed to the app. Now let’s say that you would like to upload document under specific container (in the Azure Storage Account), dedicated for the user.
The unique identifier of such container could be: "u-<>.
Now once you upload the file, you could also automatically add the new tuple with the information about relationship between the user who uploaded the file and the Azure Storage Container and files that was uploaded.

It is very important to think about unique objects identification in your solution. When it comes to users, you can get theirs IDs from the identity provider. For the objects it can be more challenging. Sometimes additional layer would be required where you would store detailed information about the objects (and their identifiers) in your system (like database). Then you can use this information with the authorization system like OpenFGA to build relations (tuples).

Anyway, if you change your authorization model, you have to also update the tuples.
There is also good fragment in the documentation about schema model migration also:

To facilitate migration to the new DSL schema, you will need to update tuples that are no longer valid. In particular, all tuples whose user field involves a wildcard character (* or user:* ) defined with model schema 1.0 MUST be deleted and re-added back.

I also encourage you to join the community meeting for OpenFGA, where you can ask your questions and share your feedback:

1 Like