[dietr1ch]

Why does it need to be checked on a per-request level?

I'd expect you to be able to give short-lived capability tokens to clients that each machine can verify down the stack without making new rpcs. This would avoid the fan-out of all the internal services.

Is it just to prevent abuse?

[akajla]

You can encode capabilities/permissions as scopes in distributed tokens (e.g. OAuth) but this can start to break down if you have very granular, fine-grained permissions (e.g. user:1 has 'editor' access to 1000s of documents/objects). This is similar to the problem that Carta ran into while building out their permissions[1].

In addition, yes - validating permissions on each request makes it so that you can revoke privilege(s) with immediate effect without needing a token to be invalidated.

[1] https://medium.com/building-carta/authz-cartas-highly-scalab...

[smarx007]

I think it's best to refer to the Zanzibar paper: https://www.usenix.org/system/files/atc19-pang.pdf

[zcw100]

... or the annotated one from the Authzed folks https://authzed.com/zanzibar

[smarx007]

Wow, I am also impressed by the tech behind! https://github.com/authzed/zanzibar-annotated

[dietr1ch]

That's neat! All papers should allow this discussion on them.

BTW, didn't Google released something like it too early?

[AlphaSite]

Does the token identify every resource you have access to? I think is for multi tenant applications with fine grained access control.

[paulddraper]

"Oh, you just [insert complex solution here]"

You need one capability token per principal and resource and perhaps access right.