Skip to content

[Initiative] Fine-Grained Authorization with OpenFGA/SpiceDB #50

Open
Feature
Open
[Initiative] Fine-Grained Authorization with OpenFGA/SpiceDB#50
Feature
Labels
area/authenhancementNew feature or requestinitiativeInitiative item for trackingpriority/p1Critical
@juliuskrah

Description

@juliuskrah
juliuskrah
opened on Apr 16, 2026

Summary

Add an optional fine-grained authorization module for GitStore using OpenFGA Ory Keto or SpiceDB to enforce relationship-based permissions for enterprise tenants.

Scope

In scope:

  • Pluggable authorization provider contract for OpenFGA/SpiceDB
  • Authorization checks in GitStore API for key resources (catalog, basket, orders, admin)
  • Mapping from identity claims and tenant context to authorization tuples/checks
  • Policy model templates for common RBAC/ReBAC patterns
  • Caching and fail-safe behavior for authorization lookups

Out of scope:

  • Replacing OIDC authentication
  • Building a new identity provider
  • Full policy administration UI in this initiative

Acceptance Criteria

  • Authorization module can be enabled/disabled by configuration
  • GitStore can evaluate permissions via OpenFGA/SpiceDB for protected endpoints
  • Tenant isolation rules are enforced by policy model and tested
  • Core mode still works without external authorization engine
  • Docs include architecture flow and sample model/tuples

Dependencies

Tracking

  • Milestone: TBD

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/authenhancementNew feature or requestinitiativeInitiative item for trackingpriority/p1Critical

    Type

    Feature

    Fields

    No fields configured for Feature.

    Projects

    GitStore Roadmap
    Status
    Todo

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions