(no title)

But the issue you are trying to mitigate (heavy tokens due to complex scope strategy) is a symptom of a bigger problem that has caused OAuth-using folks to scratch their heads for a long while. (of course, also realtes to non-Oauth JWTs)

Tldr: The new "Cloud native" way of solving for this is to not push your "Permissions" thru the token.

Basically, you limit the scopes included in a token to just a few basic ones (essentially assigning the user to a "Role" - think RBAC)....

... and then you use a modern Authorization approach (e.g. CNCF Open Policy Agent) to implement the detailed/fine grain authorization.

Its hella cool, declarative, distributed, and infinitely scalable...

... and it obviates the whole "heavy JWT" issue before it starts....

Source: This is what I do day in day out in my day job....