Un-complicate authorization maintenance

Is your authorization logic a tangled mess of spaghetti code? Learn how to decouple it into a central service and manage permissions as versioned code.

#1about 2 minutes

Differentiating between authentication and authorization

Authentication verifies a user's identity, while authorization determines what actions that verified user is allowed to perform.

#2about 15 minutes

How authorization logic evolves into spaghetti code

As a product grows, simple role checks escalate into complex, hardcoded logic for packaging, regions, enterprise features, and compliance, creating a maintenance bottleneck.

#3about 2 minutes

Why microservices exacerbate authorization maintenance issues

In a microservices architecture, authorization logic must be re-implemented and maintained across multiple services, languages, and teams, increasing complexity and risk.

#4about 5 minutes

A modern approach using a decoupled authorization service

Decoupling authorization logic into a central, policy-based service separates it from application code, enabling independent evolution and management.

#5about 8 minutes

Implementing decoupled authorization with the sidecar pattern

Deploying the authorization service as a sidecar in Kubernetes co-locates it with your application for low-latency checks while keeping the logic centralized.

#6about 3 minutes

Evaluating the advantages and disadvantages of decoupling

Decoupling provides centralized logic, language agnosticism, and consistent audit trails, but requires managing an additional service and potentially learning a new DSL.

#7about 1 minute

Using the open source project Cerbos for authorization

Cerbos is an open-source, self-hosted authorization service that implements the decoupled, policy-based approach for managing complex permissions.

#8about 19 minutes

Answering audience questions on authorization best practices

The discussion covers implementing authorization at different OSI layers, ensuring changes are tested, identifying complexity, and handling compromised credentials.