Hello guys, another question 😅 Does it make sense to model oauth scopes into my schema? So instead of asking if an user has access to a resource, I would ask if a token has access to it. The token would inherit all the user permissions, but it would also have a set of scopes that grants only a subset of the user permissions. Does this make sense? If so, how could I model that?

I haven't personally modeled this out, but I'm curious to see what you come up with!

Yeah, I'm trying to figure out a model still. But most importantly, I'm trying to see if it makes sense. I guess it does

this seems to work: https://play.authzed.com/s/dvV_KjhxGw1E/schema

Awesome, thanks! We are also now considering doing this coarser authorization via service mesh, with istio. So we would have 2 layers of authorization, one with claims with istio, and a granular one with spicedb

out of curiosity, what would y'all be doing at istio level, service-to-service authorization (e.g. this service can to talk to this service)? and then the granular one would be more of a check at the business domain?

Kinda. The istio level would be to authorize based on access token scopes. So, even though the user has a lot of permissions, we might want to emit tokens with only a subset of those permissions

That makes sense, delegated (and attenuated) access via oauth tokens - even though the user may still have access 👍🏻 I suspect you could find ways to implement the attenuation in SpiceDB, but the nice thing is with the JWT you shed load from the application service. I still wonder if I'm overlooking the potential of the new enemy problem lurking somewhere in this mix.