The Access Control Revamp v2

Gabriel L. Manor
1 reply
It's incredible to think that just a few years ago, we had to manually code app authentication and store encrypted passwords in the database. Nowadays, it seems like the only go-to approach for authentication is to rely on authentication providers like Auth0, Clerk, and others. However, it appears we are now heading in the same direction with authorization. More and more developers are turning to tools like OPA and Rego to create application policies. Recently, AWS introduced a new policy language called Cedar specifically for app-level authorization. OSO also made headlines with a $15 million funding round for their policy engine. Additionally, Permit.io released a new standard for frontend authorization called FoAz (FoAz.io), while Auth0 launched their own implementation of Google Zanzibar called OpenFGA. It seems like everyone is looking to overhaul their app authorization systems. I'm curious to know where you stand in this game. Are you still using imperative code with 'if (user.admin)' statements? Have you explored open-source policy engines? Are you considering leveraging one of these new cloud services to manage permissions? Perhaps you're even looking into alternative permission models beyond RBAC. I'd love to hear your thoughts on this access control revamp v2. What's your take on it?

Replies

Danny Lev
Wow, it's crazy to think how far we've come in just a few years when it comes to app authentication and authorization. It used to be such a pain to manually code app authentication and store encrypted passwords in the database, but now we have authentication providers like Auth0 and Clerk that make our lives so much easier. But you know what's even cooler? The way app authorization is evolving! More and more developers are turning to tools like OPA and Rego to create application policies, and there are so many new cloud services and open-source policy engines popping up, like Cedar, OSO, and FoAz. It's clear that everyone is trying to overhaul their app authorization systems, and I think it's really exciting to see so much innovation happening in this space. Personally, I'm super stoked to explore these new tools and see how they can help me manage permissions more effectively. While I've used 'if (user.admin)' statements in the past, I think these new tools will be way more flexible and scalable in the long run. And I'm definitely interested in checking out some alternative permission models beyond RBAC! Overall, I think this access control revamp v2 is a really positive development for the industry, and I can't wait to see where it takes us.