Source: thenewstack.io
The Architectural Challenge of Authorization
Most software developers think of Authentication as a solved problem. We can rely on a mature set of standards, such as OAuth2, OIDC, SAML, and JWT, and libraries in every language that make it easy to implement authentication.
There’s a clear demand for a turnkey developer API for authorization: in over 80 conversations with the technical leaders of startups from seed-stage to series D, the vast majority think of authorization as “undifferentiated heavy lifting” that is very important to get right, yet doesn’t add any unique value to the users of their applications.
Unlike developer APIs for sending email, text messages, or even payment processing, authorization is in the critical path of each application request, which means that it must be satisfied in milliseconds, and must be 100% available to the calling application.
Yet that’s not what developers mean when they want a turnkey authorization service: they want a central control plane that manages all the artifacts that are involved in making an authorization decision: the authorization policy, which is treated as code and stored and versioned in a git repository; user attributes, roles, and permissions, which are sourced from a set of identity providers; and context about resources that are used in authorization decisions.
There’s a clear demand for a turnkey developer API for authorization: in over 80 conversations with the technical leaders of startups from seed-stage to series D, the vast majority think of authorization as “undifferentiated heavy lifting” that is very important to get right, yet doesn’t add any unique value to the users of their applications.
Unlike developer APIs for sending email, text messages, or even payment processing, authorization is in the critical path of each application request, which means that it must be satisfied in milliseconds, and must be 100% available to the calling application.
Yet that’s not what developers mean when they want a turnkey authorization service: they want a central control plane that manages all the artifacts that are involved in making an authorization decision: the authorization policy, which is treated as code and stored and versioned in a git repository; user attributes, roles, and permissions, which are sourced from a set of identity providers; and context about resources that are used in authorization decisions.
Related Articles
Community Partners
DevOps Careers