I’ve talked to countless developers about how they’ve built and evolved their authorization systems over time. One common regret that keeps coming up involves getting burned by using OAuth2 scopes in a JWT as the sole basis for making authorization decisions.

But authorization is not authentication and OAuth2 scopes were never intended to be an authorization mechanism. In practice, they are a really bad idea when used as a substitute for a real microservices-focused authorization architecture. So how has this anti-pattern emerged?

Top
Generated by Feedzy