The Auth0 Lab Profile picture
Exploring the future of identity. Current focus: web3 ∩ identity Incubated:, authorization at scale for devs Community Discord:
kevin_zz Profile picture 1 subscribed
Mar 10, 2022 8 tweets 4 min read
Thinking about the following identity stack:

🔑 Credentials
📣 Public Human Friendly Username
📣 Public User Data
📣 Public Ownership Attestations
🔒 Private User Data
🔒 Privacy Preserving Attestations

Read the 🧵 for a summary + demo of each of the components of the stack Image ℹ️ A short disclaimer: as with any Auth0 Lab project this is early thinking, it doesn't mean that we're implementing these ideas in auth0. We're having talks with orgs in the web3/DID world. Our goal is to learn and ultimately make an informed decision to move this vision fwd.
Jul 21, 2021 16 tweets 8 min read
.@dschenkelman's chat with @juanrossi, a Senior Platform Security Manager at @Mercadolibre. Join us to know more about their Authorization challenges and how they tackled them.

Join here… #Authorization and #Authentication are too critical to have everyone learning and implementing them from scratch. With more tens of thousands of employees, @Mercadolibre needed to create a solution that is easy to use and can be implemented in any language and tech stack
Dec 3, 2020 10 tweets 3 min read
1/ Let's continue exploring how the "Zanzibar" model allows us to solve #fgaatscale 👇

3️⃣ Correctness: no invalid permissions are granted

To provide "correct" answers, an ACL check needs to always read a "valid view" of the system. 2/ "Valid" means: the full state read from storage should have existed at a "logical point in time" and includes all committed records at that point.

The picture provides a counterexample, a request should not read two different values from a namespace at different reads. Image
Dec 2, 2020 11 tweets 4 min read
1/ Back after last week's break 😴, ready to talk about why we picked the "Zanzibar model" for project #sandcastle: 👇 2/ We've shared the 5 things needed to solve #fgaatscale

Let's explore high-level how "Zanzibar" works and how it meets those needs…
Nov 18, 2020 8 tweets 6 min read
1/ We've analyzed the #fgaatscale problem:

We've shared our view on the market:

It's time to tell you what we are planning to build 🥁... 🧵 2/ Project #sandcastle will be a globally distributed, highly reliable service for large scale, fine grained authorization.

It's based on @Google's Zanzibar paper:, that powers #fgaatscale for @googledrive @googlecloud @YouTube and @Google other products!
Nov 11, 2020 21 tweets 5 min read
1/ Having analyzed the @github and @googledrive #fgaatscale cases, we'll share our view on the authz market.

We'll go over what is currently being addressed and what the gaps are👇 2/
As we've mentioned before, solving #fgaatscale requires:
1️⃣ Permission modelling flexibility
2️⃣ Auditing capabilities
3️⃣ Correctness: no invalid permissions are granted
4️⃣ Low Latency
5️⃣ High availability
Nov 10, 2020 21 tweets 8 min read
1/ Last week we did a deep dive of @github's authorization model and the problems they solve

In this thread we'll focus on another well known product: @googledrive a great example of a collaboration platform.

📊How is gdrive "authorization at scale"? 2/ Well, in 2018 they:
- hit 1B users
- 2 trillion files…

🔐 Review their permission model
🔍Go over their "search" story and how authz fits in it
🎯Analyze examples of why "correctness" () is important
Nov 5, 2020 19 tweets 7 min read
1/ Last time explained why we are exploring fine grained authorization:

In this thread explore we'll the problems of authorization at scale using a real world, well known example 2/ This is a key part of product development, especially when building infrastructure. We want to understand what our customers will eventually build with our service.

Our analysis case is @github.
Oct 30, 2020 8 tweets 2 min read
1/ On Wed, we posted about why we are doing this and what we expect.

We also promised to unveil this week the problem we want to dive into 🥁... 2/ The area we'd like to explore is: *fine-grained authorization*

Why this? And why now?👇
Oct 28, 2020 9 tweets 3 min read
1/ Kicking off this experiment!

First thing, we want to share *why* we are doing this and set some expectations.

Thread 👇 2/ Building new products is a messy process. There is no manual. But one thing we know is if we focus on learning and iterating, we can get somewhere. Worst case we learn that an idea is not worth it, the best case we find a product. Either case we learn.