Awesome Authorization

Authorization and access control: policy engines, standards, services, and learning resources.

Contents

• Policy Engines & Frameworks
• Standards & Specifications
• Authorization as a Service
• Access Control Models
• Real-World Implementations
• Security
• Articles & Tutorials
• Videos & Talks
• Books

Policy Engines & Frameworks

General Purpose

• OPA (Open Policy Agent) - CNCF graduated. General-purpose policy engine with its own language (Rego).
• Cedar - Policy language and engine by AWS. Designed to be analyzable and expressive.
• Casbin - Supports ACL, RBAC, ABAC, etc. Has adapters for many languages and storage backends.
• Cerbos - Self-hosted authorization layer. Policies are defined in YAML/JSON with built-in testing support.
• Open Policy Administration Layer (OPAL) - Keeps policies and data in sync across policy engines in real time.
• Pomerium - Identity-aware reverse proxy that enforces context-aware authorization policies.

Zanzibar-Based

Inspired by Google Zanzibar, Google's global authorization system built around relationship-based access control.

• SpiceDB - Zanzibar-inspired database for fine-grained permissions by Authzed.
• OpenFGA - Fine-grained authorization engine, originally from Auth0. CNCF Incubating project.
• Permify - Zanzibar-inspired authorization service for fine-grained access control. Acquired by FusionAuth in 2025.
• Ory Keto - Go implementation of Zanzibar. Part of the Ory ecosystem.
• Topaz - Open-source authorizer combining the Zanzibar model with OPA.
• Warrant - Fine-grained authorization engine, Zanzibar-inspired.

Kubernetes-Native

• OPA Gatekeeper - Kubernetes admission controller using OPA policies.
• Kyverno - Kubernetes-native policy engine for validation, mutation, and generation.
• Kubewarden - Policy engine for Kubernetes using WebAssembly.
• jsPolicy - Write Kubernetes policies in JavaScript/TypeScript.

AuthZEN Implementations

• Cerbos - Has AuthZEN PDP API support. See General Purpose.
• Topaz - Has AuthZEN evaluation API support. See Zanzibar-Based.
• Keycloak - Ships experimental AuthZEN PDP support as of Keycloak 26.7, exposing the evaluation API and /.well-known/authzen-configuration.

Language-Specific Libraries

• Spring Security - Security framework for Java/Spring. Handles both authn and authz.
• Apache Shiro - Java security framework covering authn, authz, crypto, and session management.
• Pundit - Simple authorization for Ruby on Rails using plain Ruby objects.
• CanCanCan - Ruby on Rails authorization. Define what users can and cannot do.
• CASL - Isomorphic JavaScript/TypeScript authorization supporting ABAC.
• Authzed Client Libraries - Official SpiceDB clients for Go, Python, Java, Ruby, and Node.js.
• django-rules - Object-level permissions for Django using composable predicates.
• Laravel Authorization - Gates and policies for authorization in Laravel.

Standards & Specifications

OpenID AuthZEN

• AuthZEN Specification - OpenID standard for a REST API for authorization decisions (PDP/PEP), approved as a Final Specification on 2026-01-12.
• AuthZEN Interop - Interoperability tests for AuthZEN implementations.

Identity & Federation

• OAuth 2.0 (RFC 6749) - The standard framework for delegated authorization.
• OAuth 2.1 (Draft) - Consolidates OAuth 2.0 and its best practice RFCs into one spec.
• OpenID Connect (OIDC) - Identity layer on top of OAuth 2.0.
• UMA 2.0 (User-Managed Access) - OAuth-based protocol enabling users to control access to their resources.
• GNAP - Grant Negotiation and Authorization Protocol. Next-gen successor to OAuth.

Agent & AI Authorization

• MCP Authorization - OAuth 2.1-based authorization model in the Model Context Protocol. Defines how AI clients obtain and present tokens to MCP servers.

Workload Identity

• SPIFFE - Secure Production Identity Framework for Everyone. Provides cryptographic identity to workloads (CNCF).
• SPIRE - Production-ready SPIFFE runtime.
• SPIFFE/SPIRE Documentation - Official docs.

Policy Standards

• XACML - XML-based standard for ABAC policies. Mature but verbose.
• ALFA - Human-readable DSL for writing XACML policies.

Cloud Native

• CNCF TAG-Security - CNCF Technical Advisory Group covering authorization, policy, and security. GitHub repo archived Dec 2025.

Authorization as a Service

• Auth0 Fine Grained Authorization - Managed OpenFGA by Auth0/Okta.
• Authzed - Managed SpiceDB. Zanzibar-style fine-grained permissions.
• Permit.io - Full-stack authorization with a policy management UI and OPAL.
• Oso Cloud - Managed authorization using the Polar policy language.
• Cerbos Hub - Managed Cerbos policy deployment and testing.
• Amazon Verified Permissions - Managed Cedar-based authorization service by AWS.
• WorkOS FGA - Zanzibar-based FGA service built on the Warrant engine.
• Axiomatics - Enterprise ABAC platform.
• PlainID - Policy-based access control for enterprises.

Access Control Models

• RBAC - Role-Based Access Control. Permissions are assigned to roles, roles to users.
• ABAC - Attribute-Based Access Control. Decisions based on attributes of users, resources, and context.
• ReBAC - Relationship-Based Access Control. Access depends on relationships between entities (see Zanzibar).
• PBAC - Policy-Based Access Control. Policies evaluate access requests dynamically.
• DAC - Discretionary Access Control. Resource owners decide who gets access.
• MAC - Mandatory Access Control. System-enforced, based on security labels.
• ACL - Access Control Lists. Per-object lists of who can do what.

Real-World Implementations

How companies do authorization at scale.

• Google Zanzibar (Paper) - Google's global, consistent authorization system.
• Airbnb Himeji - Centralized authz system, Zanzibar-based.
• Netflix ABAC on SpiceDB - How Netflix handles complex identity types with SpiceDB.
• How Netflix Is Solving Authorization Across Their Cloud - Talk on Netflix's cloud authz.
• Carta AuthZ - Scalable permissions system, also Zanzibar-based.
• Uber ABAC - Centralized ABAC across microservices.
• LinkedIn Authorization at Scale - High-performance authz for microservices.
• Reddit Advertising Authorization - Fine-grained authz for their ad platform.
• Figma Custom Permissions DSL - Figma built their own DSL for permissions.
• Intuit AuthZ - XACML-based unified authz system.
• Lyft Airflow DAG-Level Access - DAG-level access control on Airflow.
• AppsFlyer Microservices Authorization - Authz patterns in microservices.
• Ubicloud ABAC Learnings - Lessons from building a simple ABAC system.
• Slack Role Management - Slack's transition from coarse roles to granular RBAC with a dedicated Go permissions service.
• Notion Custom Agent Security - Permission model for AI agents acting on behalf of users in shared workspaces.

Security

• OWASP Top 10 - Broken Access Control - #1 web security risk (2021).
• OWASP Authorization Cheat Sheet - Authz best practices.
• OWASP API Security Top 10 - Top API security risks, including broken authz.
• OWASP Top 10 for Agentic Applications 2026 - Framework for autonomous AI agents focusing on overprivileged non-human identities (NHI) and delegated privilege abuse.
• Insecure Direct Object References (IDOR) - One of the most common access control vulnerabilities.
• CISA/NSA IDOR Advisory - Joint advisory on IDOR prevalence.
• Building a Modern Zero Trust Strategy - Zero trust overview by The New Stack.

Articles & Tutorials

• API Tokens: A Tedious Survey - Tour of API security approaches.
• Authorization in a Microservices World - Patterns for authz in microservices.
• AWS - AuthZ for SaaS Multi-Tenant Apps - How to set up authz in multi-tenant apps on AWS.
• Permissions Systems: Category Notes - Landscape overview of permissions systems.
• What Do Authentication and Authorization Mean in Zero Trust? - Authn vs authz in zero trust.
• Feature Flags and Authorization Abstract the Same Concept - Interesting comparison of the two.
• How To Structure Permissions In A SaaS App - RBAC, ACLs, and more in SaaS.
• Why Google Zanzibar Shines at Building Authorization - What makes Zanzibar a good fit for app authz.
• MCP and Zero Trust: Securing AI Agents With Identity and Policy - Applying authz to AI agents via MCP.
• Multi-Tenant Permissions Done Right - Patterns extracted from how Slack, Notion, and Linear handle role explosion at scale.
• Cloudflare - Managed OAuth for Access - Uses RFCs 7591, 7636, and 9728 to make internal apps agent-ready with per-user attribution instead of shared service accounts, avoiding the confused deputy problem.

Videos & Talks

• Hashicorp - Microservice Authentication and Authorization (2019) - Authn/authz patterns for microservices.
• Deloitte - Zero Trust with ABAC (2022) - ABAC in zero trust architecture.
• Zanzibar at @Scale 2019 - Google presenting Zanzibar.
• Zanzibar Academy - Learning resources about Zanzibar by Auth0.

Books

• Solving Identity Management in Modern Applications - Authn, authz, and identity management patterns (Apress).
• OAuth 2 in Action - Deep dive into OAuth 2.0 (Manning).

Contributing

Contributions welcome! Please read the contribution guidelines first.