Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: How do you handle Authorization?
5 points by firatcan on Dec 3, 2021 | hide | past | favorite | 2 comments
Hey everyone,

tl;dr - What do you use for Authorization in your projects, and what's the benefit of using that system?

I'll be honest, I'm working on building an Authorization system right now.

We were contracted to build an ERP for a client. And last of our 4-5 project needed a complex authorization system.

So this time we wanted to build Authorization system as a product which you can customize the permissions, roles and policies. (And use again and again - We already have a Demo)

I have found several ways to handle authorization such as Zanzibar, OPA, Ory Keto etc... And I'm wondering what do you use yourself in your side projects or work?

What's the benefits did you find your own way etc.?




There are two ways (that I'm aware of) of doing auth; JWT tokens or storing sessions in database. Sessions in database is probably the most secure way. But I'm working with a React SPA, so I'm using JWT tokens.

I've only had brief familiarity with using Amazon Cognito for work. Pain points are that I'm not sure how secure storing JWT tokens in the browser's localstorage is. I briefly looked into HTTP-only cookies, but it seems more difficult to set, and also not really worth it?

It seems that CSRF and XSS vulnerabilities remain an unsolved problem. If you want to improve on something in that space, I'd say security is the major area to do it in. Seriously, I'd put up with more technical pain than AWS Amplify's Javascript library is giving me just to guarantee that the application is secure.


For sure security is one of the big areas, but our problem was about the flexibility and ease of use.

What you're talking about is a big problem as well. Yet we'd like to have Stripe like solution at authorization space.

One of the part of that would be security as well.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: