I am currently looking for a way to integrate Authorization to a microservice architecture with API Gateway (Kong). For Authentication Keycloak is being used and enforced via Kong. Now I want to create policies for granting access rights to the resources behind the gateway (e.g. resource should only be accessed by creator or admin). OPA seemed like the perfect fit but it seemingly can't be used for stripping fields off the reponse. If I for example want to hide certain fields the service has added to the response from the client or want to only allow PATCH on some fields OPA can't be used. Did I miss something or do you know of a better solution for my use case?
How we ended up doing it: OPA and OSO are both really good solutions for authorization, but they didn't match what we were looking for. We wanted to 1. be able to gather information from databases about user attributes or relationships between data to decide whether the user should have access or not, and 2. be able to remove certain fields from the response. None of the available open source solutions seemed to provide this, so we decided to develop our own.
Our service is able to process a json-based policy dsm. Policies can include queries to a Mongo DB, Neo4j, or to parts of the query. This way we can create truly generic policies for fine-grained access policies. The policy service is not deployed at the gateway level, but is integrated as middleware into the microservices that require Auth. If you want to learn more about our solution, check out our documentation on the topic.