The Case Against Token-Based Authorization
9 points by alex-olivier 3 years ago | 3 comments- detaro 3 years agoThis seems to confuse terminology a bit. The problem described isn't with using tokens (which is good standard practice), but specifically with using signed tokens and relying purely on the information in them.
- robk 3 years agoIs that extra database call to get auth status really that costly? Having the client hold any kind of access control is scary to me.
- alex-olivier 3 years ago(I lead product at Cerbos[1])
Certainly agree and we have seen a lot of cases of JWT tokens getting bloated with more and more authorization data.
Using JWTs to hold the autheNtication information is a standard now but consuming that and applying fine-grained access controls for authoriZation using that context with a system that can enforce policies is that next step.
Having a dedicated AuthZ system in place that sits after the AuthN layer should put your mind at rest as a good one will provide a central point for all authZ logic which can be managed, tested and audited for every action within a system.
- alex-olivier 3 years ago