Best of Authorization2025

  1. 1
    Article
    Avatar of gitguardianGitGuardian·1y

    Authentication and Authorization Best Practices

    Authentication verifies the identity of a user making an API request, while authorization determines if the user has permission to access a specific API. Various methods such as basic auth, API keys, JWT, and OAuth have their use cases and best practices. These include using HTTPS, secure storage, least privilege principle, and regular security audits. Common mistakes to avoid involve using HTTP, storing API keys in code, and ignoring input validation.

  2. 2
    Article
    Avatar of microservicesioMicroservices.io·1y

    Authentication and authorization in a microservice architecture: Part 1 - Introduction

    This post introduces the concepts of authentication and authorization in a microservice architecture. It discusses the challenges of implementing these in distributed systems, contrasting with simpler monolithic systems. Various authorization models like RBAC, ReBAC, and ABAC are explained using a fictional application, RealGuard.io, to illustrate the complexities and potential solutions in both monolithic and microservices environments.

  3. 3
    Article
    Avatar of robinwieruchRobin Wieruch·1y

    Authorization in Next.js

    Learn how to implement authorization in Next.js applications using React Server Components, Server Actions, and the App Router. This guide explains the importance of enforcing authorization close to the data source, discusses different layers of authorization, and provides code examples for ensuring only authorized users can access and modify data. Additionally, it covers the use of middleware and layouts for route-based authorization and user experience enhancements.

  4. 4
    Article
    Avatar of portkeyportkey·21w

    Understanding MCP Authorization

    MCP (Model Context Protocol) requires authorization controls as it moves from local experimentation to production deployments. The protocol enables AI models to interact with external tools and APIs dynamically, but without authorization, every connected client can access all exposed tools. Authorization in MCP works through server-side enforcement at request time, not connection time, using patterns like token-based authorization, scoped capability access, and role-based policies. Best practices include applying least privilege, using short-lived scoped tokens, authorizing every tool call individually, and making all access auditable. Strong authorization boundaries are essential for safely deploying MCP in shared environments and production systems.

  5. 5
    Article
    Avatar of systemdesigncodexSystem Design Codex·28w

    Authorizing 10 Million API Calls Per Second

    LinkedIn handles authorization for tens of millions of API calls per second using Access Control Lists (ACLs) with an in-memory authorization client on each service. ACL data is stored in Espresso database with Couchbase caching, synchronized via Brooklin change data capture. Authorization checks are logged asynchronously through Kafka for monitoring and auditing. The system balances fast authorization checks, timely ACL updates, efficient data management, and comprehensive monitoring at massive scale.

  6. 6
    Article
    Avatar of microservicesioMicroservices.io·42w

    Authentication and authorization in a microservice architecture: Part 3 - implementing authorization using JWT-based access tokens

    Explores implementing authorization in microservices using JWT-based access tokens, covering four strategies for obtaining distributed authorization data: provide (embedding data in tokens), fetch (dynamic retrieval), replicate (local copies), and delegate (authorization service). Discusses JWT limitations including coupling risks, token staleness, size constraints, and security concerns. Uses RealGuardIO application examples to demonstrate when access token authorization works well for simple RBAC scenarios versus complex authorization requiring remote data from multiple services.

  7. 7
    Article
    Avatar of nordicapisNordic APIs·20w

    AuthZEN: A New Standard for Fine-Grained Authorization

    AuthZEN is a new OpenID Foundation specification that standardizes fine-grained authorization through a JSON-based decision API. It decouples policy enforcement points from policy decision points, allowing organizations to use any authorization model (RBAC, ABAC, ReBAC, etc.) behind a consistent interface. This approach reduces vendor lock-in, enables dynamic context-aware decisions for zero-trust architectures, and simplifies authorization across microservices, API gateways, and data systems. AuthZEN aims to bring the same level of standardization to authorization that OAuth and OpenID Connect brought to authentication.

  8. 8
    Article
    Avatar of lobstersLobsters·28w

    I built an actually faster Notion in Rust

    A developer shares their journey building Outcrop, a knowledge base alternative to Notion, using Rust for performance and simplicity. The project includes custom implementations of a Zanzibar-inspired authorization system, a search engine using tantivy with sub-millisecond latency, and a Rust port of ProseMirror for real-time collaborative editing. The architecture prioritizes speed through in-memory authorization checks, integrated search with permissions, and microsecond-level document processing. The product targets software teams and aims to launch within six months at €10 per seat.

  9. 9
    Article
    Avatar of auth0Auth0·23w

    Next.js 16: What’s New for Authentication and Authorization

    Next.js 16 introduces three key changes for security: renaming middleware.ts to proxy.ts to clarify its role as lightweight routing logic, making components dynamic by default with opt-in caching to prevent accidental data leaks, and adding the updateTag() API for immediate cache invalidation after permission changes. These updates establish clearer boundaries between edge-layer traffic control and downstream authentication logic, reduce risks of serving stale authorized content, and ensure permission changes take effect instantly through read-your-writes semantics.

  10. 10
    Article
    Avatar of lnLaravel News·1y

    Enhancing Laravel Authorization with Backed Enums

    Enhance your Laravel application's security model with backed enum support for permissions. This feature provides a type-safe approach to authorization checks while improving code readability and maintainability. The implementation simplifies the process of permission checks, making it more intuitive and manageable across complex systems.

  11. 11
    Article
    Avatar of microservicesioMicroservices.io·34w

    Authentication and authorization in a microservice architecture - Part 4 - fetching and replicating authorization data

    Explores two strategies for handling remote authorization data in microservices: fetch and replicate. The fetch strategy involves making HTTP calls or using the Saga pattern to retrieve authorization data from other services, while the replicate strategy uses CQRS to maintain local copies of authorization data synchronized through events. Each approach has trade-offs between simplicity, runtime coupling, and data freshness.

  12. 12
    Article
    Avatar of juststevekingJustSteveKing·1y

    Advanced Authorization methods in Laravel

    Laravel offers robust authorization mechanisms through Gates and Policies, primarily using RBAC. However, for more granular control, ReBAC, ABAC, and PBAC models can be implemented to suit various use cases. ReBAC is useful for relationship-based checks, ABAC offers fine-tuned control through attributes, and PBAC combines attributes and relationship-based checks with high-level policy definitions. Choosing the right model depends on the complexity, performance, and scalability needs of your application.

  13. 13
    Article
    Avatar of freecodecampfreeCodeCamp·34w

    Master Authentication and Authorization in ASP.NET

    A comprehensive course covering authentication and authorization in ASP.NET applications. Learn to set up Identity tables with Entity Framework Core, configure JWTs, create authentication controllers, manage user registration and login, handle access and refresh tokens, and implement role-based authorization for secure web applications.

  14. 14
    Article
    Avatar of marvelkenmarvelken's public Squad·48w

    From Swipes to Subscriptions: Building Permission Layers in a Dating App

    A comprehensive tutorial on building permission layers in a dating app using Next.js, Supabase, and Permit.io. The guide demonstrates implementing a subscription-based access control system where free users have limited daily swipes and can only view first photos, while premium users get unlimited swipes and full profile access. Covers database schema design, role-based access control setup, and feature gating strategies for modern web applications.

  15. 15
    Article
    Avatar of joyelijahjoyelijah's public Squad·48w

    Implementing Relationship-Based Access Control in a Google Sheet Clone

    Explores implementing Relationship-Based Access Control (ReBAC) in a collaborative spreadsheet application similar to Google Sheets. ReBAC provides granular permissions where users can have different access levels (Owner, Editor, Viewer) for individual documents rather than global roles. The implementation uses Next.js, Supabase for database and authentication, and Permit.io for authorization management. The system allows document owners to share spreadsheets with specific permissions, enabling fine-grained control over who can view or edit each document.

  16. 16
    Article
    Avatar of medium_jsMedium·1y

    How to Build an RBAC Permissioned Admin Dashboard with Permit.io and Flask

    Learn how to implement Role-Based Access Control (RBAC) in a Flask application using Permit.io for managing roles and permissions. The guide covers setting up an employee management system, installing necessary dependencies, creating resources and roles in Permit.io, enforcing permissions with the Permit SDK, and testing the application. This approach enhances scalability and security, preventing unauthorized access to sensitive data.

  17. 17
    Article
    Avatar of baeldungBaeldung·49w

    Authorize Request for Certain URL and HTTP Method in Spring Security

    Spring Security provides flexible mechanisms to authorize requests based on URLs, HTTP methods, and user roles. The tutorial demonstrates implementing role-based access control in a blogging platform where users can manage their own posts while admins have broader permissions. Key concepts include configuring SecurityFilterChain for URL-based authorization, using @PreAuthorize for method-level security, implementing custom UserDetailsService for database authentication, and creating service layers that enforce business logic with proper access controls. The implementation covers user registration, authentication, and CRUD operations with appropriate security constraints.

  18. 18
    Article
    Avatar of awsAWS·47w

    Express.js developers can now add authorization in minutes with Amazon Verified Permissions

    AWS released an open source JavaScript package that enables Express.js developers to implement authorization using Amazon Verified Permissions and Cedar policies. The package moves authorization logic outside application code into externally managed policies, allowing developers to define role-based access controls without embedding complex authorization logic. The integration works through middleware that validates permissions before processing API requests, and policies can be updated without modifying application code.

  19. 19
    Article
    Avatar of cncfCNCF·26w

    OpenFGA Becomes a CNCF Incubating Project

    OpenFGA, an authorization engine based on Google's Zanzibar that implements Relationship-Based Access Control (ReBAC), has been promoted to CNCF incubating status. The project centralizes authorization logic through an API-first approach, making it easier to implement complex access control at scale. Since joining CNCF as a sandbox project in 2022, OpenFGA has gained 37 production adopters, expanded to multiple SDKs (Python, Java, Go, .NET, JS), added maintainers from Grafana Labs and GitPod, and integrated with CNCF projects like OpenTelemetry, Helm, and Prometheus. The project has accumulated 4,300+ GitHub stars and 96 contributors, with future plans including new SDKs for Ruby, Rust, and PHP, AuthZen standard support, and performance improvements.

  20. 20
    Article
    Avatar of microservicesioMicroservices.io·22w

    Authentication and authorization in a microservice architecture - Part 5 - implementing complex authorization using Oso Cloud

    Authorization in microservices becomes complex when decisions require data from multiple services. Authorization-as-a-service platforms like Oso Cloud solve this by centralizing policy logic written in declarative languages (Polar) and evaluating authorization decisions via API calls. Services populate Oso with facts about roles and relationships through events (CQRS pattern), then delegate authorization checks instead of implementing complex conditional logic and database joins. This approach supports RBAC, ReBAC, and ABAC while reducing per-service implementation burden. The article demonstrates Oso integration in a security system application, showing how policies express role inheritance across resource relationships and how unification evaluates permission queries.

  21. 21
    Article
    Avatar of faunFaun·31w

    OWASP Top 10 for Appliction Programming Interfaces

    Explores the OWASP API Security Top 10, detailing critical vulnerabilities like broken object level authorization, broken authentication, and SSRF. Each vulnerability is explained with practical code examples showing how attackers exploit these weaknesses and what defenses developers should implement. Includes guidance on authorization checks, rate limiting, input validation, configuration hardening, and API inventory management to prevent data breaches and system compromises.

See all Authorization archives