openfga VS topaz

It’s 2025 y’all, time to retire that ancient, one-size-fits-all approach. OpenFGA gives you the flexibility to handle complex user relationships with elegance. Whether you’re cooking up the next Slack, managing external contractors, or just tired of editing roles for your friends named Bob, ReBAC can save you from permissions purgatory.

External Authorization System Using Policy engines like SpiceDB, OpenFGA, ORY Keto, OpenPolicy Agent (OPA), let you put your ReBAC rules in an external system and reference them from your queries. The main benefit you get from the centralized relationships model is it makes it possible to manage authorization centrally. This means that development teams can create new applications and add new relationships without needing to update any application code.

How does this compare to auth0's OpenFGA (based on Zanzibar)?

https://openfga.dev

This feels very much like OpenFGA[0]. I've been evaluating authorization tool for one of my side projects and honestly most tools feels like creating relationships in a graph-like database and querying to see if there is/isn't relationship between two entities. Is there more to this (besides the implementation details) or am I missing something from these tools?

[0] https://openfga.dev/

OpenFGA

OpenFGA is CNCF Sandbox authorization service inspired by Google Zanzibar

- https://authzed.com/spicedb/ - https://cerbos.dev/ - https://openfga.dev/ - https://www.permify.co/

Thanks for the answer. I played around with Keycloak for a bit and I saw that roles could be mapped as token claims, however for systems where you need fine grained access control (where roles are not enough) you need some other solution. One option could be to use an external authorization system. One such system could be OpenFGA https://openfga.dev/ that is based on Google Zanzibar https://research.google/pubs/pub48190/ research paper. This answer on SO is also helpful https://stackoverflow.com/a/75047064/10781180

OPA is a great tool for implementing a policy-as-code system. But if you're trying to use it for application authorization (e.g. fine-grained authz for B2B SaaS or a set of internal applications), you may find that its policy story is strong, but it doesn't really have a "data plane": you either store data in a data.json file and rebuild the policy any time that data changes, or make an http.send call out of the policy to fetch dynamic data.

Check out Topaz [0], which uses OPA as its decision engine, but adds a data plane that is based on the ReBAC ideas explored in the Google Zanzibar [1] paper.

Disclaimer: I work on the team [2] that builds and maintains the Topaz project.

[0] https://www.topaz.sh

[1] https://research.google/pubs/zanzibar-googles-consistent-glo...

[2] https://www.aserto.com

You can, simply use the topazd.exe binary from the topaz_windows_x86_64.zip from the GH releases page (https://github.com/aserto-dev/topaz/releases). Note this is currently not a Windows Service, so not net start topaz. Let me know if that would be interesting.

Topaz is an open-source authorization project for cloud-native applications. It uses OPA as the decision engine and supports Rego policy as first-class citizens. It also has an embedded relationship database to support data-centric authorization models like Google Zanzibar's relationship-based access controls (ReBAC).