{"id":49351389,"url":"https://github.com/kanywst/awesome-authorization","last_synced_at":"2026-04-27T10:03:19.394Z","repository":{"id":352247894,"uuid":"1214094888","full_name":"kanywst/awesome-authorization","owner":"kanywst","description":"Authorization and access control tools, frameworks, standards, and resources.","archived":false,"fork":false,"pushed_at":"2026-04-18T15:55:31.000Z","size":33,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-18T17:30:47.077Z","etag":null,"topics":["access-control","authorization","authzen","awesome","awesome-list","opa","policy-engine","security","spiffe","zanzibar"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc0-1.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kanywst.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-18T05:40:46.000Z","updated_at":"2026-04-18T15:55:36.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/kanywst/awesome-authorization","commit_stats":null,"previous_names":["kanywst/awesome-authorization"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/kanywst/awesome-authorization","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kanywst%2Fawesome-authorization","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kanywst%2Fawesome-authorization/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kanywst%2Fawesome-authorization/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kanywst%2Fawesome-authorization/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kanywst","download_url":"https://codeload.github.com/kanywst/awesome-authorization/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kanywst%2Fawesome-authorization/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32331305,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-26T23:26:28.701Z","status":"online","status_checked_at":"2026-04-27T02:00:06.769Z","response_time":128,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["access-control","authorization","authzen","awesome","awesome-list","opa","policy-engine","security","spiffe","zanzibar"],"created_at":"2026-04-27T10:02:52.457Z","updated_at":"2026-04-27T10:03:19.369Z","avatar_url":"https://github.com/kanywst.png","language":null,"funding_links":[],"categories":["Other Lists"],"sub_categories":["Vue Lists"],"readme":"# Awesome Authorization [![Awesome](https://awesome.re/badge.svg)](https://awesome.re)\n\n\u003cdiv align=\"center\"\u003e\n  \u003cimg src=\"media/logo.svg\" width=\"400\" alt=\"Awesome Authorization\"\u003e\n\u003c/div\u003e\n\n\u003e Authorization and access control: policy engines, standards, services, and learning resources.\n\n## Contents\n\n- [Policy Engines \\\u0026 Frameworks](#policy-engines--frameworks)\n- [Standards \\\u0026 Specifications](#standards--specifications)\n- [Authorization as a Service](#authorization-as-a-service)\n- [Access Control Models](#access-control-models)\n- [Real-World Implementations](#real-world-implementations)\n- [Security](#security)\n- [Articles \\\u0026 Tutorials](#articles--tutorials)\n- [Videos \\\u0026 Talks](#videos--talks)\n- [Books](#books)\n\n## Policy Engines \u0026 Frameworks\n\n### General Purpose\n\n- [OPA (Open Policy Agent)](https://www.openpolicyagent.org/) - CNCF graduated. General-purpose policy engine with its own language (Rego).\n- [Cedar](https://www.cedarpolicy.com/) - Policy language and engine by AWS. Designed to be analyzable and expressive.\n- [Casbin](https://casbin.org/) - Supports ACL, RBAC, ABAC, etc. Has adapters for many languages and storage backends.\n- [Cerbos](https://cerbos.dev/) - Self-hosted authorization layer. Policies are defined in YAML/JSON with built-in testing support.\n- [Oso](https://www.osohq.com/) - Comes with Polar, a declarative policy language for application-level authorization.\n- [Open Policy Administration Layer (OPAL)](https://github.com/permitio/opal) - Keeps policies and data in sync across policy engines in real time.\n\n### Zanzibar-Based\n\nInspired by Google Zanzibar, Google's global authorization system built around relationship-based access control.\n\n- [SpiceDB](https://github.com/authzed/spicedb) - Zanzibar-inspired database for fine-grained permissions by Authzed.\n- [OpenFGA](https://github.com/openfga/openfga) - Fine-grained authorization engine, originally from Auth0. CNCF Incubating project.\n- [Permify](https://github.com/Permify/permify) - Zanzibar-inspired authorization service for fine-grained access control. Acquired by FusionAuth in 2025.\n- [Ory Keto](https://github.com/ory/keto) - Go implementation of Zanzibar. Part of the Ory ecosystem.\n- [Topaz](https://github.com/aserto-dev/topaz) - Combines Zanzibar model with OPA. By Aserto.\n- [Warrant](https://github.com/warrant-dev/warrant) - Fine-grained authorization engine, Zanzibar-inspired.\n\n### Kubernetes-Native\n\n- [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper) - Kubernetes admission controller using OPA policies.\n- [Kyverno](https://kyverno.io/) - Kubernetes-native policy engine for validation, mutation, and generation.\n- [Kubewarden](https://www.kubewarden.io/) - Policy engine for Kubernetes using WebAssembly.\n- [jsPolicy](https://www.jspolicy.com/) - Write Kubernetes policies in JavaScript/TypeScript.\n\n### AuthZEN Implementations\n\n- [OPA AuthZEN Plugin](https://github.com/kanywst/opa-authzen-plugin) - OPA plugin that implements the OpenID AuthZEN Authorization API.\n- Cerbos - Has AuthZEN PDP API support. See [General Purpose](#general-purpose).\n- [Topaz](https://www.topaz.sh/) - Has AuthZEN evaluation API support. See [Zanzibar-Based](#zanzibar-based).\n\n### Language-Specific Libraries\n\n- [Spring Security](https://spring.io/projects/spring-security) - Security framework for Java/Spring. Handles both authn and authz.\n- [Apache Shiro](https://shiro.apache.org/) - Java security framework covering authn, authz, crypto, and session management.\n- [Pundit](https://github.com/varvet/pundit) - Simple authorization for Ruby on Rails using plain Ruby objects.\n- [CanCanCan](https://github.com/CanCanCommunity/cancancan) - Ruby on Rails authorization. Define what users can and cannot do.\n- [CASL](https://casl.js.org/) - Isomorphic JavaScript/TypeScript authorization supporting ABAC.\n- [Authzed Client Libraries](https://github.com/authzed) - Official SpiceDB clients for Go, Python, Java, Ruby, and Node.js.\n- [django-rules](https://github.com/dfunckt/django-rules) - Object-level permissions for Django using composable predicates.\n- [Laravel Authorization](https://laravel.com/docs/authorization) - Gates and policies for authorization in Laravel.\n\n## Standards \u0026 Specifications\n\n### OpenID AuthZEN\n\n- [AuthZEN Specification](https://openid.net/wg/authzen/) - OpenID working group standardizing a REST API for authorization decisions (PDP/PEP).\n- [AuthZEN Interop](https://github.com/openid/authzen) - Interoperability tests for AuthZEN implementations.\n\n### Identity \u0026 Federation\n\n- [OAuth 2.0 (RFC 6749)](https://datatracker.ietf.org/doc/html/rfc6749) - The standard framework for delegated authorization.\n- [OAuth 2.1 (Draft)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11) - Consolidates OAuth 2.0 and its best practice RFCs into one spec.\n- [OpenID Connect (OIDC)](https://openid.net/developers/how-connect-works/) - Identity layer on top of OAuth 2.0.\n- [UMA 2.0 (User-Managed Access)](https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-grant-2.0.html) - OAuth-based protocol enabling users to control access to their resources.\n- [GNAP](https://datatracker.ietf.org/doc/html/draft-ietf-gnap-core-protocol) - Grant Negotiation and Authorization Protocol. Next-gen successor to OAuth.\n\n### Workload Identity\n\n- [SPIFFE](https://spiffe.io/) - Secure Production Identity Framework for Everyone. Provides cryptographic identity to workloads (CNCF).\n- [SPIRE](https://spiffe.io/docs/latest/spire-about/) - Production-ready SPIFFE runtime.\n- [SPIFFE/SPIRE Documentation](https://spiffe.io/docs/) - Official docs.\n\n### Policy Standards\n\n- [XACML](https://en.wikipedia.org/wiki/XACML) - XML-based standard for ABAC policies. Mature but verbose.\n- [ALFA](https://en.wikipedia.org/wiki/ALFA_\\(authorization\\)) - Human-readable DSL for writing XACML policies.\n\n### Cloud Native\n\n- [CNCF TAG-Security](https://github.com/cncf/tag-security) - CNCF Technical Advisory Group covering authorization, policy, and security.\n\n## Authorization as a Service\n\n- [Auth0 Fine Grained Authorization](https://auth0.com/fine-grained-authorization) - Managed OpenFGA by Auth0/Okta.\n- [Authzed](https://authzed.com/) - Managed SpiceDB. Zanzibar-style fine-grained permissions.\n- [Permit.io](https://www.permit.io/) - Full-stack authorization with a policy management UI and OPAL.\n- [Aserto](https://www.aserto.com/) - Cloud-native authz built on Topaz (OPA + Zanzibar).\n- [Oso Cloud](https://www.osohq.com/oso-cloud) - Managed authorization using the Polar policy language.\n- [Cerbos Hub](https://www.cerbos.dev/product-cerbos-hub) - Managed Cerbos policy deployment and testing.\n- [Amazon Verified Permissions](https://aws.amazon.com/verified-permissions/) - Managed Cedar-based authorization service by AWS.\n- [Axiomatics](https://www.axiomatics.com/) - Enterprise ABAC platform.\n- [PlainID](https://www.plainid.com/) - Policy-based access control for enterprises.\n\n## Access Control Models\n\n- [RBAC](https://en.wikipedia.org/wiki/Role-based_access_control) - Role-Based Access Control. Permissions are assigned to roles, roles to users.\n- [ABAC](https://en.wikipedia.org/wiki/Attribute-based_access_control) - Attribute-Based Access Control. Decisions based on attributes of users, resources, and context.\n- [ReBAC](https://en.wikipedia.org/wiki/Relationship-based_access_control) - Relationship-Based Access Control. Access depends on relationships between entities (see Zanzibar).\n- [PBAC](https://csrc.nist.gov/glossary/term/policy_based_access_control) - Policy-Based Access Control. Policies evaluate access requests dynamically.\n- [DAC](https://en.wikipedia.org/wiki/Discretionary_access_control) - Discretionary Access Control. Resource owners decide who gets access.\n- [MAC](https://en.wikipedia.org/wiki/Mandatory_access_control) - Mandatory Access Control. System-enforced, based on security labels.\n- [ACL](https://en.wikipedia.org/wiki/Access-control_list) - Access Control Lists. Per-object lists of who can do what.\n\n## Real-World Implementations\n\nHow companies do authorization at scale.\n\n- [Google Zanzibar (Paper)](https://research.google/pubs/pub48190/) - Google's global, consistent authorization system.\n- [Airbnb Himeji](https://medium.com/airbnb-engineering/himeji-a-scalable-centralized-system-for-authorization-at-airbnb-341664924574) - Centralized authz system, Zanzibar-based.\n- [Netflix ABAC on SpiceDB](https://netflixtechblog.com/abac-on-spicedb-enabling-netflixs-complex-identity-types-c118f374fa89) - How Netflix handles complex identity types with SpiceDB.\n- [How Netflix Is Solving Authorization Across Their Cloud](https://www.youtube.com/watch?v=R6tUNpRpdnY) - Talk on Netflix's cloud authz.\n- [Carta AuthZ](https://medium.com/building-carta/authz-cartas-highly-scalable-permissions-system-782a7f2c840f) - Scalable permissions system, also Zanzibar-based.\n- [Uber ABAC](https://www.uber.com/blog/attribute-based-access-control-at-uber/) - Centralized ABAC across microservices.\n- [LinkedIn Authorization at Scale](https://engineering.linkedin.com/blog/2019/03/authorization-at-linkedins-scale) - High-performance authz for microservices.\n- [Reddit Advertising Authorization](https://www.reddit.com/r/RedditEng/comments/13vttm8/evolving_authorization_for_our_advertising/) - Fine-grained authz for their ad platform.\n- [Figma Custom Permissions DSL](https://www.figma.com/blog/how-we-rolled-out-our-own-permissions-dsl-at-figma/) - Figma built their own DSL for permissions.\n- [Intuit AuthZ](https://medium.com/intuit-engineering/authz-intuits-unified-dynamic-authorization-system-bea554d18f91) - XACML-based unified authz system.\n- [Lyft Airflow DAG-Level Access](https://eng.lyft.com/securing-apache-airflow-ui-with-dag-level-access-a7bc649a2821) - DAG-level access control on Airflow.\n- [AppsFlyer Microservices Authorization](https://medium.com/appsflyerengineering/authorization-solution-for-microservices-architecture-a2ac0c3c510b) - Authz patterns in microservices.\n- [Ubicloud ABAC Learnings](https://www.ubicloud.com/blog/learnings-from-building-a-simple-authorization-system-abac) - Lessons from building a simple ABAC system.\n\n## Security\n\n- [OWASP Top 10 - Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/) - #1 web security risk (2021).\n- [OWASP Authorization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html) - Authz best practices.\n- [OWASP API Security Top 10](https://owasp.org/www-project-api-security/) - Top API security risks, including broken authz.\n- [Insecure Direct Object References (IDOR)](https://portswigger.net/web-security/access-control/idor) - One of the most common access control vulnerabilities.\n- [CISA/NSA IDOR Advisory](https://www.theregister.com/2023/07/29/cisa_nsa_idor_australia/) - Joint advisory on IDOR prevalence.\n- [Building a Modern Zero Trust Strategy](https://thenewstack.io/ebooks/security/trust-no-one-and-automate-almost-everything-building-a-modern-zero-trust-strategy) - Zero trust overview by The New Stack.\n\n## Articles \u0026 Tutorials\n\n- [API Tokens: A Tedious Survey](https://fly.io/blog/api-tokens-a-tedious-survey/) - Tour of API security approaches.\n- [Authorization in a Microservices World](https://www.alexanderlolis.com/authorization-in-a-microservices-world) - Patterns for authz in microservices.\n- [AWS - AuthZ for SaaS Multi-Tenant Apps](https://docs.aws.amazon.com/prescriptive-guidance/latest/saas-multitenant-api-access-authorization/welcome.html) - How to set up authz in multi-tenant apps on AWS.\n- [Permissions Systems: Category Notes](https://kojo.blog/permissions-sytems/) - Landscape overview of permissions systems.\n- [What Do Authentication and Authorization Mean in Zero Trust?](https://thenewstack.io/what-do-authentication-and-authorization-mean-in-zero-trust/) - Authn vs authz in zero trust.\n- [Feature Flags and Authorization Abstract the Same Concept](https://ntietz.com/blog/feature-flags-and-authorization/) - Interesting comparison of the two.\n- [How To Structure Permissions In A SaaS App](https://heap.io/blog/structure-permissions-saas-app) - RBAC, ACLs, and more in SaaS.\n- [Why Google Zanzibar Shines at Building Authorization](https://workos.com/blog/google-zanzibar-authorization) - What makes Zanzibar a good fit for app authz.\n- [MCP and Zero Trust: Securing AI Agents With Identity and Policy](https://www.cerbos.dev/blog/mcp-and-zero-trust-securing-ai-agents-with-identity-and-policy) - Applying authz to AI agents via MCP.\n\n## Videos \u0026 Talks\n\n- [Hashicorp - Microservice Authentication and Authorization (2019)](https://www.youtube.com/watch?v=ZjPF8yZ83Wo) - Authn/authz patterns for microservices.\n- [Deloitte - Zero Trust with ABAC (2022)](https://www.youtube.com/watch?v=-XFn85HtVDA) - ABAC in zero trust architecture.\n- [Zanzibar at @Scale 2019](https://www.facebook.com/atscaleevents/videos/scale-2019-zanzibar-googles-consistent-global-authorization-system/524366141717632/) - Google presenting Zanzibar.\n- [Zanzibar Academy](https://zanzibar.academy/) - Learning resources about Zanzibar by Auth0.\n\n## Books\n\n- [Solving Identity Management in Modern Applications](https://link.springer.com/book/10.1007/978-1-4842-8261-8) - Authn, authz, and identity management patterns (Apress).\n- [OAuth 2 in Action](https://www.manning.com/books/oauth-2-in-action) - Deep dive into OAuth 2.0 (Manning).\n\n## Contributing\n\nContributions welcome! Please read the [contribution guidelines](CONTRIBUTING.md) first.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkanywst%2Fawesome-authorization","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkanywst%2Fawesome-authorization","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkanywst%2Fawesome-authorization/lists"}