Okta FGA vs OpenFGA - what’s the difference?
Okta FGA is based on OpenFGA, an open-source authorization system owned by the Cloud Native Foundation, of which Okta is a key maintainer.
OpenFGA is free to use and has the same core functionality as Okta FGA. However, running an authorization service at scale can be challenging, and doing is part of the value provided by Okta FGA.
Below is a list of the differences between the products:
| Features | Okta Fine Grained Authorization | OpenFGA |
|---|---|---|
| Availability | Deployed in two cloud regions per jurisdiction (US/Australia/Europe) and uses a database configured with Active-Active replication, so it can survive a regional AWS failure. | Customers are responsible for availability. OpenFGA currently supports Postgres and MySQL, which must be failed over another replica in a data emergency. |
| Scalability | Okta FGA has been tested with 1M RPS and 100 billion relationship tuples. | Customers must run their own performance and load testing. |
| Cloud Security | Okta secures the cloud perimeter. | Customer is responsible for securing the cloud perimeter. |
| Database Migrations | Okta runs database migrations with no downtime. | Customers must run their own database migrations, which can lead to downtime. |
| Backups | Okta FGA database supports point-in-time recovery and is backed up frequently . | Customers must run their own database backups. |
| Security Patches | Okta updates OpenFGA with the latest security patches. | Customers must update their OpenFGA version. |
| Monitoring | Okta monitors uptime and latency and is responsible for resolving production issues with the product. | Customers must monitor the uptime/latency and handle production issues. |
| Status Page | Okta provides a status page to monitor availability. | Customers must manage their own OpenFGA communications. |
| Support | Okta provides enterprise support with Technical Account Managers, 24x7 pager support, Premier support options, and SLAs, in accordance with the customer's support level. | No support is provided. |
| Dashboard | Okta offers an SSO-enabled dashboard, where multiple users can collaborate on FGA stores and models and where admins/developers can manage API keys. | No dashboard available. |
| Cloud Infrastructure Provisioning | Okta provisions and manages the cloud services required to run Okta FGA. | The customer manages the cloud infrastructure. |
| Autoscaling | Okta configures services and databases to autoscale. | Customers configure their own auto scaling policies. |
| Disaster Recovery | Okta has disaster recovery processes in place for Okta FGA. | Customers must implement their own disaster recovery processes. |
| Data Residency | Okta ensures compliance with each country’s data residency laws, including our own services and those of our subprocessors. | Customers ensure compliance with data residency laws. |