Hey everyone,<p>tl;dr - What do you use for Authorization in your projects, and what's the benefit of using that system?<p>I'll be honest, I'm working on building an Authorization system right now.<p>We were contracted to build an ERP for a client. And last of our 4-5 project needed a complex authorization system.<p>So this time we wanted to build Authorization system as a product which you can customize the permissions, roles and policies. (And use again and again - We already have a Demo)<p>I have found several ways to handle authorization such as Zanzibar, OPA, Ory Keto etc... And I'm wondering what do you use yourself in your side projects or work?<p>What's the benefits did you find your own way etc.?
There are two ways (that I'm aware of) of doing auth; JWT tokens or storing sessions in database. Sessions in database is probably the most secure way. But I'm working with a React SPA, so I'm using JWT tokens.<p>I've only had brief familiarity with using Amazon Cognito for work. Pain points are that I'm not sure how secure storing JWT tokens in the browser's localstorage is. I briefly looked into HTTP-only cookies, but it seems more difficult to set, and also not really worth it?<p>It seems that CSRF and XSS vulnerabilities remain an unsolved problem. If you want to improve on something in that space, I'd say security is <i>the</i> major area to do it in. Seriously, I'd put up with more technical pain than AWS Amplify's Javascript library is giving me just to guarantee that the application is secure.