The Case Against Token-Based Authorization

The Case Against Token-Based Authorization(cerbos.dev)

9 points by alex-olivier 4 years ago | 3 comments

detaro 4 years ago |

This seems to confuse terminology a bit. The problem described isn't with using tokens (which is good standard practice), but specifically with using signed tokens and relying purely on the information in them.

robk 4 years ago |

Is that extra database call to get auth status really that costly? Having the client hold any kind of access control is scary to me.

alex-olivier 4 years ago | |

(I lead product at Cerbos[1])

Certainly agree and we have seen a lot of cases of JWT tokens getting bloated with more and more authorization data.

Using JWTs to hold the autheNtication information is a standard now but consuming that and applying fine-grained access controls for authoriZation using that context with a system that can enforce policies is that next step.

Having a dedicated AuthZ system in place that sits after the AuthN layer should put your mind at rest as a good one will provide a central point for all authZ logic which can be managed, tested and audited for every action within a system.

[1] https://cerbos.dev