This message was deleted.

https://www.openpolicyagent.org/#application Would something like Open Policy Agent meet your goals?

Let me check! Thanks!!

OSO?

Hey @Anthony Critelli, i checked your proposal and seems to be available as a package for your app. Our setup requires a solution to work without including anything inside the app. Usually we have an apigateway that forwards request to a lambda and we need this extra thing between both to do custom auth based on groups. I think your proposal doesnt cover that, right?

@Eduard Bargues So you need a service between the API Gateway and the end service to mediate authorization? If that's the case, then OPA might not be the right fit. I think in this case you would either extend your app to use OPA, or write a service in between them to mediate the authorization.

If you prefer a centralised service approach, then Zanzibar (Google’s own implementation, oss implementations: Ory Keto, SpiceDB) is pretty neat. The key thing to scale it is how well the implementation handles the cache of the DAG schema and config. As per our internal study, SpiceDB is the most mature. But since it’s a paradigm shift, I suggest to read the paper first (https://research.google/pubs/pub48190/).

I think the customAuthLambda solution is gaining momentum guys. Seems to be the best solution in terms of operation costs (people involved + infra)