Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

ThePenguin's avatar

Remote Authorisation SaaS - roles, permissions & policies

I've been thinking about this a while and I'm interested in hearing what the community thinks (note that this suggestion is cross-platform / language and not specific to Laravel)...

Pretty much any application of any real scale will involve some level of permissions (either role-based or policy-based). Since we inevitably have to include this in our app, would you be in favour of using a saas service for authorisation instead of building and managing your own authorisation system within your app?

You could use this service to define roles, permissions, policies etc.

Some benefits:

  1. Security - authorisation checks are performed offsite, so if a hacker gained access to your site / app, they would not be able to change who could do what (unless you intentionally exposed this functionality, but the idea would be not to do so).

  2. Centralisation - if your system involves multiple clients e.g. web app, desktop app, iOS and Android apps etc. you would not need to build an authorisation system into each of them, or ensure that new rules are deployed to all clients at the same time.

  3. Cross Platform - this builds from #2, since all authorisation would be performed using a HTTP request, no libraries or language / platform specific code would be required beyond fairly common functions e.g. base64 encoding and some AES crypto.

  4. Instant Updates - roles, permissions and logic can be changed at any time without having to expose such functionality on the system itself.

  5. Less Server Load - For mobile or desktop apps, you could save a trip to your server if authorisation returned false. Depending on the strain on your server, this could be valuable.

Some downsides:

  1. Latency - depending on your location, requests could take around 200ms to complete. However, this could probably be mitigated by building in support for servers in specific regions and using sub-domains to route the request.

  2. Downtime - if the service went down, no authorisation checks could be performed. Again, this could be mitigated by redundancies to ensure close to 100% uptime.

Anyway, that's idea. What are your thoughts?

Thanks!

0 likes
2 replies
JosephDidz's avatar

You can build your own cross-platform authentication system with Laravel and have ultimate control of your entire system. Here is a video to get you started with user authentication with roles in Laravel: https://youtu.be/SBsxeyHNss0

ThePenguin's avatar

Thanks @JosephDidz, I'm very much aware that you can do this in Laravel. Thanks also for the video link.

As I mentioned in my post though, it was about whether there's value in extracting it to its own dedicated service that is separate to the app / platform for the benefits of security, centralisation, instant deployment etc.

Please or to participate in this conversation.