Github's authorization model uses a combination of roles and scopes, which makes it hard to pre-compute a user's access ahead of time.

Addressing challenges with Github's authorization model

Unlike most developer APIs, authorization is in the critical path of every application request, and requires a different architecture.

The Architectural Challenge of Authorization

Why we started Aserto: the missing developer API for application authorization.

Welcome to Modern Authorization

OAuth2 scopes were never intended to be an authorization mechanism, and indeed are a bad idea when used as a substitute for a real authorization architecture.

OAuth2 Scopes are NOT Permissions

Authentication is a solved problem. But authorization remains a far bigger problem, and is far from solved.

Authentication != Authorization

Five principles that any developer solution for application authorization should adhere to.

The Five Principles of Authorization

Embedding your authorization logic inside your application is a constant source of pain. Separating policy from code brings many benefits.

Why separate policy from your code?

Authorization for SaaS applications is painful for developers, administrators, SecOps, and compliance. It's time to fix this!

Blog

Company Updates & Technology Articles

Addressing challenges with Github's authorization model