Keycloak did a survey about their Authorization server, so they are probably looking around to replace it or remove it from Keycloak as something external. Which led me to the following. Based on https://www.keycloak.org/docs/latest/authorization_services/ I am wondering how many How-To guides SpiceDB has implementing all those things, or even better, pairing SpiceDB with Keycloak. Have you done any of that?!

We haven't done a side-by-side comparison of SpiceDB with Keycloak authz engine, and we don't have an exhaustive list of implementing all those paradigms, but as Joey mentioned, combining SpiceDB's relational paradigm in combination with the Caveats feature can essentially support all of that. We typically publish blogposts that serve as How-To's - an idea we may want to revisit for discoverability's sake: ABAC: - https://authzed.com/blog/abac-on-spicedb-enabling-netflix-complex-identity-types - https://authzed.com/blog/top-three-caveat-use-cases RBAC Example: - https://authzed.com/blog/google-cloud-iam-modeling - https://authzed.com/blog/user-defined-roles We don't have examples for, but based on SpiceDB language's, it will support: - **User-Based Access Control (UBAC)**: This is essentially assigning permissions to users directly - **Context-based access control (CBAC)**: This can be implemented with SpiceDB Caveats, which is a great fit for contextual information. - Rule-based access control - I assume this is a different name for Policy-Based Access Control. In general you can implement Policy with SpiceDB, but it does not work like something like OPA, where the policy is at the center of their design. In SpiceDB relationships are at the center, and policy is layered on top using Caveats. You cannot do Policy without the relationship bits. I strongly believe this is an advantage, as it enables you to use the right tool for the job. - **Time-based access control**: You can do this with SpiceDB Caveats, see an example in this blog post: https://authzed.com/blog/top-three-caveat-use-cases The one that I don't think it currently supports is Custom Access Control Mechanisms, which if I understand correctly, means to extend the engine to call external RPC methods to determine outcome. We've discussed similar concepts, but personally don't think it's a great idea to couple the failure domain of SpiceDB with an external service beyond the database.

PLEASE I BEG YOU FOR THE LOVE OF COMPUTER SCIENCE don’t add RPC or any calling to outside services

yeah, there is a lot of effort put into SpiceDB to make sure it supports various levels of consistency depending on folks needs, so integrating with third party services compromises that. Some domains require stricter consistency, that's why Zanzibar (and SpiceDB) need to run on top of databases supporting strong consistency. This has been historically less common in distributed databases, but started to become more widespread with Spanner and derivatives.

Read the blog posts! Really cool

It could be feasible if that RPC service lived in the same transactional boundary, which is rare these days

I haven’t been able to sleep all night watching videos and reading 🥲

That makes two of us then 😉 Happy to support you in this journey