Authorization must be fast and correct enough.
At scale, you will cache. The real question is: what are you willing to be stale about, and for how long?
Caching strategies
1) Cache decisions (per subject+resource+action)
- Great for read-heavy systems.
- Needs careful invalidation when relationships change.
2) Cache relationship lookups
- Cache “member-of org” or “doc shares” and re-evaluate.
3) Token/claim caching
- Use tokens for identity and coarse context, not fine-grained entitlements.
Revocation and “remove access now”
You need a story for:
- user removed from org
- role revoked
- account compromised
Patterns:
- short TTLs + refresh
- event-driven cache invalidation
- deny-lists for emergency revocation
Pitfalls
- Long-lived caches with no invalidation.
- Treating eventual consistency as a security feature.
- No incident playbook for global revocation.
Where to go next
- /category/access-management
- /topic/specifications/oauth-token-security-revocation-rotation-incident-response
- IDPro Book of Knowledge (reference): https://bok.idpro.org/
