Authorization Academy Introduction

Authorization Academy is a series of technical guides that explains how to build authorization into an app, including architecture, modeling patterns, enforcement, testing, integration at the UI level and more. After completing this course, you will have a mental model for how authorization works and the tools to build it into an application yourself.

If you’re like most development teams, you want to spend only as much time as you need to spend on authorization – and not a moment more. The problem is: there’s limited concrete material available for developers on how to build authorization into your app. To help developers build these systems and features, we wrote Authorization Academy.

To make the course as concrete as possible, we use an example application throughout the course, called GitClub. GitClub is a website for source code hosting, collaboration, and version control. This might sound familiar! Our inspiration for GitClub comes from real-world applications – GitHub and GitLab – which are good case studies for common authorization scenarios.

This course focuses on authorization in business-to-business (B2B) software-as-a-service (SaaS) applications, though we’ll also cover other patterns and models along the way. Developers of all temperatures will find the course useful. For beginner developers, the course will establish a strong base of authorization fundamentals. For more seasoned veterans, the course will offer a cleaner approach to problems they have likely encountered in the past.

We’re authorization professionals. We built this course based on our experience writing authorization systems ourselves, as well as just dozens of meetings with developers working on authorization at companies ranging from startups to the Fortune 100.

What Does Authorization Academy Teach?

This content is broken up into chapters, where we’ll be covering the following topics:

  • Chapter II: What authorization is: how to organize your authorization code
  • Chapter III: Role-based access control: grouping permissions in your app into roles like User and Admin
  • Chapter IV: Relationship-based control: grouping permissions by relationship, like "the creator of a post may edit that post"
  • Chapter V: Authorization enforcement: once your app has decided to allow or deny access, what do you do with that decision?

We're planning future chapters on:

  • User Interfaces
  • Testing your authorization code
  • Authorization across microservices

Next up we'll define authorization itself and give an overview of how to structure your authorization system.

As you go through this guide, we encourage you to join the community of developers in the Oso Slack! We'd love to talk about what you're working on and answer any questions you may have. If you want to kickstart the process of building authorization into your application, you can use the Oso library and learn more about it in the Oso documentation.

Next chapter:

What is Authorization?
This chapter shows how authorization fits into a typical application, and how to think about architecting the authorization system itself. To illustrate the concepts, we walk through an example application and the life of a request.

Previous chapter:

Want some help thinking through authorization in your app?

Or if you're not a fan of video calls, join the Oso community Slack.