| I commend you for the attempt... But the issue you are trying to mitigate (heavy tokens due to complex scope strategy) is a symptom of a bigger problem that has caused OAuth-using folks to scratch their heads for a long while. (of course, also realtes to non-Oauth JWTs) Tldr: The new "Cloud native" way of solving for this is to not push your "Permissions" thru the token. Basically, you limit the scopes included in a token to just a few basic ones (essentially assigning the user to a "Role" - think RBAC).... ... and then you use a modern Authorization approach (e.g. CNCF Open Policy Agent) to implement the detailed/fine grain authorization. Its hella cool, declarative, distributed, and infinitely scalable... ... and it obviates the whole "heavy JWT" issue before it starts.... Source: This is what I do day in day out in my day job.... |