Long time software architect, CTO Authress, creating application security plug-ins for any software application with Authress. Talk to me about security in microservices or service authorization.
That works with small systems, but invariably JWTs are not designed to handle resource management. There just was never a way to support granular permissions access stored in the JWT that works at scale.
That works with small systems, but invariably JWTs are not designed to handle resource management. There just was never a way to support granular permissions access stored in the JWT that works at scale.
I mostly agree, you still may need fine grained permissions. But you can go a long way with roles and groups for most things.
Document ownership. Things like owner read/write, group read, manager read/write and even manager above are typical oversights.
I'm just pointing out that for many applications, rules and groups fit well enough.