Skip to content

kanywst/awesome-authorization

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

49 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Awesome Authorization Awesome

Awesome Authorization

Authorization and access control: policy engines, standards, services, and learning resources.

Contents

Policy Engines & Frameworks

General Purpose

  • OPA (Open Policy Agent) - CNCF graduated. General-purpose policy engine with its own language (Rego).
  • Cedar - Policy language and engine by AWS. Designed to be analyzable and expressive.
  • Casbin - Supports ACL, RBAC, ABAC, etc. Has adapters for many languages and storage backends.
  • Cerbos - Self-hosted authorization layer. Policies are defined in YAML/JSON with built-in testing support.
  • Open Policy Administration Layer (OPAL) - Keeps policies and data in sync across policy engines in real time.
  • Pomerium - Identity-aware reverse proxy that enforces context-aware authorization policies.
  • Biscuit - Capability-based authorization token format with Datalog policies, offline verification, and bearer-side attenuation.

Zanzibar-Based

Inspired by Google Zanzibar, Google's global authorization system built around relationship-based access control.

  • SpiceDB - Zanzibar-inspired database for fine-grained permissions by Authzed.
  • OpenFGA - Fine-grained authorization engine, originally from Auth0. CNCF Incubating project.
  • Permify - Zanzibar-inspired authorization service for fine-grained access control. Acquired by FusionAuth in 2025.
  • Ory Keto - Go implementation of Zanzibar. Part of the Ory ecosystem.
  • Topaz - Open-source authorizer combining the Zanzibar model with OPA.

Kubernetes-Native

  • OPA Gatekeeper - Kubernetes admission controller using OPA policies.
  • Kyverno - Kubernetes-native policy engine for validation, mutation, and generation.
  • Kubewarden - Policy engine for Kubernetes using WebAssembly.
  • jsPolicy - Write Kubernetes policies in JavaScript/TypeScript.

AuthZEN Implementations

  • Cerbos - Has AuthZEN PDP API support. See General Purpose.
  • Topaz - Has AuthZEN evaluation API support. See Zanzibar-Based.
  • Keycloak - Ships experimental AuthZEN PDP support as of Keycloak 26.7, exposing the evaluation API and /.well-known/authzen-configuration.

Language-Specific Libraries

  • Spring Security - Security framework for Java/Spring. Handles both authn and authz.
  • Apache Shiro - Java security framework covering authn, authz, crypto, and session management.
  • Pundit - Simple authorization for Ruby on Rails using plain Ruby objects.
  • CanCanCan - Ruby on Rails authorization. Define what users can and cannot do.
  • CASL - Isomorphic JavaScript/TypeScript authorization supporting ABAC.
  • Authzed Client Libraries - Official SpiceDB clients for Go, Python, Java, Ruby, and Node.js.
  • django-rules - Object-level permissions for Django using composable predicates.
  • Laravel Authorization - Gates and policies for authorization in Laravel.

Standards & Specifications

OpenID AuthZEN

Identity & Federation

Agent & AI Authorization

  • MCP Authorization - OAuth 2.1-based authorization model in the Model Context Protocol. Defines how AI clients obtain and present tokens to MCP servers.

Workload Identity

  • SPIFFE - Secure Production Identity Framework for Everyone. Provides cryptographic identity to workloads (CNCF).
  • SPIRE - Production-ready SPIFFE runtime.

Policy Standards

  • XACML - XML-based standard for ABAC policies. Mature but verbose.
  • ALFA - Human-readable DSL for writing XACML policies.

Authorization as a Service

Access Control Models

  • RBAC - Role-Based Access Control. Permissions are assigned to roles, roles to users.
  • ABAC - Attribute-Based Access Control. Decisions based on attributes of users, resources, and context.
  • ReBAC - Relationship-Based Access Control. Access depends on relationships between entities (see Zanzibar).
  • PBAC - Policy-Based Access Control. Policies evaluate access requests dynamically.
  • DAC - Discretionary Access Control. Resource owners decide who gets access.
  • MAC - Mandatory Access Control. System-enforced, based on security labels.
  • ACL - Access Control Lists. Per-object lists of who can do what.

Real-World Implementations

How companies do authorization at scale.

Security

Articles & Tutorials

Videos & Talks

Books

Contributing

Contributions welcome! Please read the contribution guidelines first.

About

Authorization and access control tools, frameworks, standards, and resources.

Topics

Resources

License

Code of conduct

Contributing

Stars

5 stars

Watchers

1 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors