Hey everyone,
tl;dr - What do you use for Authorization in your projects, and what's the benefit of using that system?
I'll be honest, I'm working on building an Authorization system right now.
We were contracted to build an ERP for a client. And last of our 4-5 project needed a complex authorization system.
So this time we wanted to build Authorization system as a product which you can customize the permissions, roles and policies. (And use again and again - We already have a Demo)
I have found several ways to handle authorization such as Zanzibar, OPA, Ory Keto etc... And I'm wondering what do you use yourself in your side projects or work?
What's the benefits did you find your own way etc.?
I've only had brief familiarity with using Amazon Cognito for work. Pain points are that I'm not sure how secure storing JWT tokens in the browser's localstorage is. I briefly looked into HTTP-only cookies, but it seems more difficult to set, and also not really worth it?
It seems that CSRF and XSS vulnerabilities remain an unsolved problem. If you want to improve on something in that space, I'd say security is the major area to do it in. Seriously, I'd put up with more technical pain than AWS Amplify's Javascript library is giving me just to guarantee that the application is secure.