OpenFGA
Support mTLS based authentication in OpenFGA server #371
ssrirama-aka
started this conversation in
Ideas
Replies: 1 comment
-
|
My company is a famous bank. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Currently OpenFGA supports TLS-based authentication. The TLS-based approach is limited to a server-based certificate and key, and the key is pre-shared with clients connecting to OpenFGA server. This does not, however, prevent on-path or man-in-the-middle attacks where an attacker eavesdrops, manipulates or intercepts messages passing between client and OpenFGA server. From a zero trust and distributed architecture perspective, enabling mTLS between client and OpenFGA server prevents such attacks by establishing trust and security in both directions.
The use case where this is especially applicable is a situation in which OpenFGA serves as a core authorization engine, but OpenFGA itself is part of a broader microservice-based IAM solution or a broader general platform with multiple components connecting to OpenFGA to perform an authorization check. In this use case, client identity also matters, as much as the server identity.
Would like to see OpenFGA support mTLS-based authentication.
Beta Was this translation helpful? Give feedback.
All reactions