Hey @chris-workinggears,
Sorry for the late reply and thank you for your patience
To answer your questions, I think we need to clarify that the resource server is always responsible for checking authorization. The resource server makes authorization decisions based on information that may come from different sources: the access token, a database, a remote service, etc.
That said, let me try to answer your questions.
Question 1.
Permission-based or RBAC-based authorization is appropriate when you have a well-defined set of permissions that don’t change dynamically. Pure RBAC is not appropriate for your example about using scopes such as reservation:show:1
, reservation:show:2
, etc., because, in this case, resources are dynamically generated. You also mentioned practical issues with the token size, which is a legitimate concern.
Bearing in mind that the resource server is responsible for making authorization decisions, it can combine information coming from the access token with information coming from other sources to allow or deny access to a resource.
For example, if the user can see only their own reservations, the resource server will evaluate the following information to make its decision:
- the presence of the
reservation:show
scope in the access token - the user id associated with the access token (
sub
claim) - the reservation id coming as a parameter in the HTTP request
- the user id and reservation id stored in the reservation database
Combining the information coming from these different sources, it can make its authorization decision and allow or deny the user access to that specific resource.
Question 2.
As said before, actually authorization decisions always happen on the resource server side.
The point here is: how convenient is it to have part of this information (i.e. scopes) coming from the access token?
As usual, it’s a matter of evaluation based on the specific context.
In simple cases, RBAC is enough. In slightly more complex cases, you may need to integrate information coming from the access token with information coming from other sources.
In even more complex cases, it’s preferable using different approaches like ABAC or FGA.
I hope I answered your questions.