|
|
|
|
|
|
by brianwmunz
95 days ago
|
|
|
A good idea is to build thin proxy layers that map "coarse" upstream tokens to more fine tuned internal permissions. The proxy holds the real API token and your internal services authenticate with scoped tokens that only allow specific endpoints/operations. Works well but you're basically rebuilding OAuth scoping yourself...which is why some teams just accept the risk and focus their security effort on token rotation and monitoring instead. |
|
|