Long time software architect, CTO Authress, creating application security plug-ins for any software application with Authress. Talk to me about security in microservices or service authorization.
Great writeup, it's amazing how many teams still try to couple authentication to authorization. But you got that exactly right to keep these separate.
I'm also wondering about the implementation, these are usually really challenging. I've found from many past experiences that building the user IAM aspects to allows encounter some pitfalls. I actually wrote up my most recent adventure into building authz in our services.
Thanks, Warren
Implementing and enforcing IAM isn't a trivial task and can be challenging in a microservice architecture.
We think that choosing the correct access management control depends on the application requirements and can be changed from one to another.
In the next part, we will see the implementations that feet for our needs.
I am 100% identify with your sentence: ״I've been through this journey myself, more than once. Every time, I was looking back...״
As humans, we have the nature to solve problems; Looking back and asking ourselves the questions, did we achieve our goals? What can we do otherwise? or did we choose the correct solution for that particular problem?
This step is critical while solving problems that keeping us going and improve our skills as software engineers
I generally include a handful of high level roles in service and application design. May also want groups. These can be included in the jwt. Authorization by ownership of of course separate.
Long time software architect, CTO Authress, creating application security plug-ins for any software application with Authress. Talk to me about security in microservices or service authorization.
That works with small systems, but invariably JWTs are not designed to handle resource management. There just was never a way to support granular permissions access stored in the JWT that works at scale.
Great writeup, it's amazing how many teams still try to couple authentication to authorization. But you got that exactly right to keep these separate.
I'm also wondering about the implementation, these are usually really challenging. I've found from many past experiences that building the user IAM aspects to allows encounter some pitfalls. I actually wrote up my most recent adventure into building authz in our services.
Thanks, Warren
Implementing and enforcing IAM isn't a trivial task and can be challenging in a microservice architecture.
We think that choosing the correct access management control depends on the application requirements and can be changed from one to another.
In the next part, we will see the implementations that feet for our needs.
I am 100% identify with your sentence: ״I've been through this journey myself, more than once. Every time, I was looking back...״
As humans, we have the nature to solve problems; Looking back and asking ourselves the questions, did we achieve our goals? What can we do otherwise? or did we choose the correct solution for that particular problem?
This step is critical while solving problems that keeping us going and improve our skills as software engineers
I generally include a handful of high level roles in service and application design. May also want groups. These can be included in the jwt. Authorization by ownership of of course separate.
That works with small systems, but invariably JWTs are not designed to handle resource management. There just was never a way to support granular permissions access stored in the JWT that works at scale.
I mostly agree, you still may need fine grained permissions. But you can go a long way with roles and groups for most things.
Document ownership. Things like owner read/write, group read, manager read/write and even manager above are typical oversights.
I'm just pointing out that for many applications, rules and groups fit well enough.