Blog

OAuth2 scopes were never intended to be an authorization mechanism, and indeed are a bad idea when used as a substitute for a real authorization architecture.

Authentication is a solved problem. But authorization remains a far bigger problem, and is far from solved.

Five principles that any developer solution for application authorization should adhere to.

Embedding your authorization logic inside your application is a constant source of pain. Separating policy from code brings many benefits.

Authorization for SaaS applications is painful for developers, administrators, SecOps, and compliance. It's time to fix this!