Talks: Why Authorization is Hard

Presented by:


Every team implements authorization in their app to control which users can do what. You'd think by now we'd have a standard set of best practices for how to build it. And yet, we don't! Especially in the Python ecosystem. Why is authorization so hard?

Authorization is made up of three building blocks, each of which presents its own challenges:

  1. Enforcing authorization is hard because it needs to happen in so many places. Controllers, database mappers, routers, and user interfaces all need to enforce authorization. As a result, there are limited off-the-shelf approaches that work in all cases.

  2. Decision architecture is hard because you want to separate authorization from the application, but a lot of authorization data is application data too. A monolith can check its own database when it needs to make a decision, but what happens if you want to consolidate authorization into a separate service? Many off-the-shelf solutions focus on the separation – coordinating it and keeping everything in sync is challenging too.

  3. Modeling authorization is hard too. It's easy to whip up the first use case — adding a roles table to your database works for a while. But it's hard to start simple and grow into your complexity as you need it. And it's hard to make something powerful that's simple to get started with. The options available typically err on one end of the spectrum or the other.

In this talk, you'll learn the approaches for how to solve each of these areas and the associated tradeoffs.