RDX-1788 Stop overloading JWTs with permission claims | Devoxx

Stop overloading JWTs with permission claims


archisec Architecture, Performance and Security Intermediate

The authorization that OAuth2 provides is likely a subset of all the authorization that you need. OAuth2 deals with what I call “identity authorization”. We’ve too often misunderstood authorization by trying to make OAuth2 do more authorization than it’s supposed to--customizing JWT access tokens (that should be about “identity”) with application-specific role and permission claims that don’t belong there. I'll show how you can do more comprehensive authorization using testable business logic and a "policy service"

  JWT   OAuth 2.0   OpenID Connect   microservices architecture   Spring Security
Room name is available few days before the conference.
Stephen Doxsee Stephen Doxsee

Stephen's a software engineer and consultant through Simple Step Solutions that aims to help organizations assess, plan, build, and maintain their software with IAM-based architectures and evidence-based approaches to software delivery performance