Skip to content

đŸ€” How Do We Move Scopes out of OPA Data Bundle? #8

New issue
New issue
Open
Open
đŸ€” How Do We Move Scopes out of OPA Data Bundle?#8
@usize

Description

@usize
usize
opened on Feb 4, 2026

In the current version of the demo, scopes are hard coded.

Problem

In conversations with @pavelanni we've explored limitations with OPA, namely, how do we manage per document permissions?

Even now, managing scope intersections with OPA will require ONE OF:

  • An OPA data bundle with some static mappings; potentially loaded from a sidecar.
  • A lookup from OPA to an external db/authz service.
  • Passing two tokens to OPA, one from the request header and one associated with the service.

Proposed Solution

Explore using an approach more suited for ReBAC like SpiceDB.

https://authzed.com/docs/spicedb/getting-started/coming-from/opa

We can continue to use KeyCloak as an Identity Provider, and can integrate via something like

https://github.com/DGuhr/keycloak-spicedb-eventlistener

This allows us to leverage KeyCloak for Spiffe/SPIRE integration and token exchange, along with SpiceDB for fine grained authorization.

If we want to be really fancy, we can also incorporate Authorino for transparent enforcement:

https://github.com/guicassolato/authorino-spicedb

Pretty ASCII table because why not

  ┌───────────────────────────────────┬────────────────────────────────┐
  │              Concern              │             System             │
  ├───────────────────────────────────┌─────────────────────────────────
  │ User authentication               │ Keycloak                       │
  ├───────────────────────────────────┌─────────────────────────────────
  │ Token issuance/validation         │ Keycloak                       │
  ├───────────────────────────────────┌─────────────────────────────────
  │ SPIFFE/SPIRE integration          │ Keycloak                       │
  ├───────────────────────────────────┌─────────────────────────────────
  │ Token exchange (audience binding) │ Keycloak                       │
  ├───────────────────────────────────┌─────────────────────────────────
  │ User ↔ group/role relationships   │ SpiceDB (synced from Keycloak) │
  ├───────────────────────────────────┌─────────────────────────────────
  │ Agent capabilities                │ SpiceDB                        │
  ├───────────────────────────────────┌─────────────────────────────────
  │ Document permissions              │ SpiceDB                        │
  ├───────────────────────────────────┌─────────────────────────────────
  │ Intersection logic                │ SpiceDB (schema-level)         │
  └───────────────────────────────────┮────────────────────────────────┘

Open questions

  • Does the event listener handle agent registration, or just users/groups?
  • How do we want to sync document permissions with spicedb?
  • Are there policies that OPA is specifically better for, where we might want to keep it?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions