{"id":28474929,"url":"https://github.com/datum-cloud/auth-provider-openfga","last_synced_at":"2026-04-02T12:05:37.701Z","repository":{"id":297061274,"uuid":"992170220","full_name":"datum-cloud/auth-provider-openfga","owner":"datum-cloud","description":"Leverage OpenFGA for authorization with Milo","archived":false,"fork":false,"pushed_at":"2026-03-31T15:57:11.000Z","size":667,"stargazers_count":0,"open_issues_count":14,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-31T16:17:16.311Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/datum-cloud.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-05-28T18:18:52.000Z","updated_at":"2026-03-31T14:34:58.000Z","dependencies_parsed_at":"2025-06-04T02:15:55.755Z","dependency_job_id":"cbeb3e95-6672-49c5-8aab-b2dd3442caf2","html_url":"https://github.com/datum-cloud/auth-provider-openfga","commit_stats":null,"previous_names":["datum-cloud/auth-provider-openfga"],"tags_count":17,"template":false,"template_full_name":null,"purl":"pkg:github/datum-cloud/auth-provider-openfga","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/datum-cloud%2Fauth-provider-openfga","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/datum-cloud%2Fauth-provider-openfga/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/datum-cloud%2Fauth-provider-openfga/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/datum-cloud%2Fauth-provider-openfga/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/datum-cloud","download_url":"https://codeload.github.com/datum-cloud/auth-provider-openfga/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/datum-cloud%2Fauth-provider-openfga/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31305973,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-02T09:48:21.550Z","status":"ssl_error","status_checked_at":"2026-04-02T09:48:19.196Z","response_time":89,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-06-07T13:35:44.796Z","updated_at":"2026-04-02T12:05:37.680Z","avatar_url":"https://github.com/datum-cloud.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Milo OpenFGA Auth Provider\n\nAuthorization infrastructure for Milo's business operating system backed by\nOpenFGA - enabling fine-grained, relationship-based access control across\nbusiness entities like customers, products, agreements, and organizational\nresources.\n\n## Overview\n\nThis project provides the authorization backbone for the [Milo business\noperating system](https://github.com/datum-cloud/milo), which uses Kubernetes\nAPIServer patterns to manage business entities for product-led B2B companies.\nThe auth provider bridges Milo's business APIs with OpenFGA's relationship-based\nauthorization engine to answer complex business questions like:\n\n- *\"Can this sales rep view pricing for customers in this project?\"*\n- *\"Can this account manager modify agreements for this organization?\"*\n- *\"Which product features can this customer access based on their\n  entitlements?\"*\n\n### Key Capabilities\n\n1. **Resource Authorization** - Protects Milo's resources using\n   relationship-based policies\n2. **Organizational Hierarchies** - Supports complex business structures with\n   permission inheritance across organizations and projects\n3. **Dynamic Permission Models** - Automatically builds authorization models as\n   new resource types are registered in Milo\n4. **Real-time Access Control** - Provides webhook-based authorization that\n   integrates seamlessly with Milo's Kubernetes-based APIs\n\n## How It Works\n\n1. **Resource Registration**: `ProtectedResource` CRDs define what resources\n   should be protected and what permissions are available (view, edit, delete,\n   manage)\n2. **Authorization Model Sync**: The system automatically builds OpenFGA type\n   definitions based on registered resources\n3. **Role Management**: `Role` CRDs define roles (Sales Rep, Account Manager)\n   with collections of permissions\n4. **Access Binding**: `PolicyBinding` CRDs create relationships between\n   subjects, roles, and target resources\n5. **Runtime Authorization**: Webhook servers evaluate access requests by\n   querying OpenFGA relationship graphs\n6. **Inheritance Support**: Resources inherit permissions through organizational\n   hierarchies (Organization → Project → Customer)\n\nReview the [Architecture](./docs/architecture.md) documentation for more\ninformation.\n\n## Essential Commands\n\n```bash\ntask dev:setup          # Complete environment setup\ntask dev:deploy         # Deploy/redeploy application\ntask dev:status         # Check environment status\ntask dev:logs           # View application logs\ntask test               # Run tests\n```\n\n## Documentation\n\n- **[Architecture Guide](docs/architecture.md)** - System design, components,\n  and data flow\n- **[OpenFGA Integration](docs/openfga-integration.md)** - OpenFGA authorization\n  model and implementation details\n\n## Project Structure\n\n```\n├── config/               # Kubernetes manifests and Kustomize overlays\n├── docs/                 # Detailed documentation\n├── internal/             # Application logic\n│   ├── controller/       # Kubernetes controllers\n│   ├── webhook/          # Authorization webhook server\n│   └── openfga/          # OpenFGA integration layer\n├── cmd/                  # CLI entrypoints (manager, webhook)\n└── test/                 # E2E tests\n```\n\n## Quick Contributing\n\n1. `task dev:setup` - Set up environment\n2. Make your changes\n3. `task test \u0026\u0026 task test:e2e` - Verify changes\n4. Submit PR\n\nFor detailed guidelines, see [Contributing Guide](docs/contributing.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdatum-cloud%2Fauth-provider-openfga","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdatum-cloud%2Fauth-provider-openfga","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdatum-cloud%2Fauth-provider-openfga/lists"}