|
|
|
|
|
|
by raskelll
132 days ago
|
|
|
Good fit for coarse auth at the edge (who is this? what tenant? basic scopes, and so on). I’d still keep object-level/domain rules in-app. Fail-closed for auth, fail-open for observability is the right mental model. Biggest multi-tenant footguns are header spoofing + tenant-unaware caching. The proxy should own identity headers and include tenant in any cache key. |
|
|