OpenFGA
Capability scores
Methodology →- Authentication
- 1.5
- SSO & Federation
- 1.5
- Authorization
- 4.7
- Lifecycle & Provisioning
- 3.0
- MFA & Passwordless
- 1.0
- Governance & Audit
- 3.5
- Developer Experience
- 4.3
- Deployment Flexibility
- 4.5
- Pricing Transparency
- 4.5
- Support & Ecosystem
- 3.5
Scored 0–5 against a published rubric. Independent analysis, no vendor sponsorship.
Overview
OpenFGA is a CNCF-hosted, Apache 2.0 licensed authorization engine implementing the Google Zanzibar relationship-based model. It came out of Auth0/Okta and is now the de facto open-source choice for fine-grained, relationship-driven permissions.
Capability deep-dive
The relationship model is the strength: you define types and relations, write tuples, and check access with low latency, which handles hierarchical and shared-resource permissions that RBAC struggles with. The DSL, playground, and SDKs make modeling approachable, and self-hosting is straightforward with Postgres or MySQL. As an engine it deliberately does nothing on authentication, SSO, or MFA, so those scores are low by design. Governance tooling (audit, change management) is thinner than a packaged product, and you own operations unless you buy Okta FGA, the managed offering. Performance at very large tuple counts requires care around store design and caching.
Pricing
Free and open source under Apache 2.0 for self-hosting. Okta FGA provides a managed, paid version with support and SLAs for teams that do not want to operate it.
Bottom line
Pick OpenFGA if you need Zanzibar-style ReBAC and are comfortable running infrastructure or paying for the managed version.