Authorization Core support for groups roadmap clarifications

I love auth0 so much for it being a wonderful product. I love auth0 company for personal support and generosity from their side I received whilst being their client. And I love the perfect level of support. And mostly everything they do. Therefore I decided to use my rant credits and write this short rant - because I want it to have this one single major problem fixed so badly.

Auth stands for two things - authentication and authorization. And auth shortening usually means both things. And authorization part of auth0 functionality is half-baked.

It was so five years ago - Field Notes: Evaluating Auth0 vs. Stormpath - One Hungry Mind . It was so when I started using it year ago. It is today - we still do not have groups functionality. authorization extension vs authorization core ambiguity is OK for 3 or 6 months, but things are not seeming to move towards any sort of resolution for years now…

One can not demand a company to ship a certain feature. Yet I think there is also a problem with communication of authorization roadmap topic. Let me give few examples: a) Update on Authorization Core RBAC roadmap any tougher questions regarding RBAC seems to be ignored.
b) https://webcache.googleusercontent.com/search?q=cache:qJLJtH82Jl8J:https://community.auth0.com/t/authorization-series-pt-2-securing-http-apis-with-rbac-rules/29128+&cd=2&hl=en&ct=clnk&gl=lt → articles disappear. In history you can see company commits of having groups in 2021q2, but it’s month into 2021q3, and we’re not there.
c) Any roadmap timeline requests ignored: How do you manage user groups? - #2 by john.gateley .

Dear auth0, authorization it’s half of what you do. At least according to your name. Stand up and say - we do not support complex authorization requirements as of now. Try work arounding this as a); b); c).

Please do provide updates on what’s going on with authorization part of auth. Maybe it’s a complex problem, I understand, but currently, as the rant title suggest - it’s an elephant in the room matter.

How we, clients and community, can help to get this sorted? Is there a groups feature beta program where we can apply? When will authorization functionality will get the attention and progress from your side It actually deserves?

Tom

Hey there! Thanks for sharing all that feedback. Let me address your concerns shortly or bring one of our product managers in so we can have additional context in here. Thank you for your patience!

Thanks, Conrad. Meanwhile I’ll just restate what I think is the main problem - groups functionality is missing in the core authorization. And that, at least for me, implies that the authorization data model is just incomplete as of now.

From practical experience I do see groups and roles as completely different things. rights - Group vs role (Any real difference?) - Stack Overflow has a subtle discussion on this.

But the very fact that authorization extension has groups, and core does not, yet it has been tried to make as beta, which was then closed, indicates that you are guys seeking for solution and it’s not the one to be found easily.

Authorization Core vs. Authorization Extension shows that authorization core is lagging two features behind:
a) Users and Roles can be assigned to Groups - what’s the status of this? what are the problems with this being implemented? What expectations should we have?
b) Roles are attached to specific applications - not sure exactly what are the implications of this in choosing authz extension vs authz core. Would love to have this described in more details.

I’m ranting because I honestly care. I’ve spent 200 hours or so researching and implementing quite complex auth requirement in my SaaS. Wrote many custom auth code myself. In website, backend, react/vue, CF workers. I don’t mind complexity, i.e. using management API api instead of getting the data from token. And you still need to write custom code in the backend - i.e. djangorestframework-auth0/permissions.py at master · mcueto/djangorestframework-auth0 · GitHub . And then suddenly - just because auth0 team did not find yet a way how to implement groups in authz core you just realize that you’ll be implementing both authz core and authz extension along the way with a mission to find which way sucks less and which approach has less painful tradeoffs.

And that’s for me who spent 200+ hours with auth/auth0 setup already, has some custom code and most likely will find my way around eventually. But i’d love auth0 to show me guidance through authz topics, not just authentication. And also - what about the newcomers? They should find auth0 authz support really challanging to grasp.

I think what you guys surely do - just write an extensive and exaustive tutorial on how to implement authorization with auth0 in 2021. Start about where and when you’d pick authz extension vs authz core - you understand yourself the pain of two different APIs, so at least help to navigate this choice. There are hundreds of github repos on authorization, why not make at least few with advanced and complex RBAC authz requirements to give an example. Pick any backend - django, node - we’ll be glad to reimplement that ourselves. But suddenly authz has way less tutorials, so little code examples and so on and so forth. It seems you guys feel you yourself have not nailed this part of your product yet and therefore are more hesitant to talk about that.

Ok, this ended up being almost the second rant Anyhow, I do believe such honest feedback from the clients who actually care and also who feel the hurt of some features still missing is of some value.

I understand your frustrations and appreciate your loyalty and desire to gently nudge Auth0 in the right direction. First and foremost, you’re right, our focus on authentication has been historically prioritized over authorization and RBAC, which is foundational to application development. On the authorization front, we saw a big opportunity to deliver a foundational capability in Organizations, and we focused on that. Check it out if you haven’t already as it may help with some of the problems you’re looking to solve. Secondly, you’re right! groups and roles are different beasts. Groups are a common IT directory practice for creating named containers or organizational units to collect users and other objects. Auth0’s user directory has provided application developers with virtually unlimited data modeling flexibility. However, it currently lacks user groups as a core directory feature. I apologize that dates have been provided previously for implementing user groups and the unclear information about group support in the Authorization Extension. When we schedule engineering and have a target release for user groups in the core Auth0 product, we’ll inform the community.

Thanks a lot, @gary.gwin!

Everything makes complete sense!

virtually unlimited data modeling flexibility - I think this (in broad perspective) attitude is what makes Auth0 so appealing. That’s why I met organizations - huge extension of the data model - with loud applauses. Did not researched it too extensively yet, but you sure want to stick with companies which do embrace the challanges of major data model extensions. And I honestly had this thought - ‘ok, maybe groups was just put on hold till the organisations is being shipped…’ and am glad that my gut feeling was, judge’ing from what you elaborated, more or less correct.

So yeah, in marathon terms, ultimately I was honestly worried that after getting those 42km so perfectly right you would not stop for the rest 195m - am glad to here it surely won’t happen!

As for the commitments to deadlines - I personally do not see any problem in them being drastically changed or cancelled. That how product/software development works. Not understanding the long-term plan is the ultimate reason where the frustration comes from, at least for me. Thanks again for shining more light on the context and the future!

Thanks again for great work Auth0 team does!

Tom

UPD: Edited the thread title to more closely match the essence of the thread.

Thanks a lot @gary.gwin for contributing to this thread! and also ++ for you @tom85 for sharing all that feedback!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.