A simple API AuthZ subsystem when your IdP doesn't support OAuth2 scopes

• You have an API that's called by processes or other APIs.
• You must authorize access to API routes.
• You aren't using an API gateway.
• Your OAuth2 provider doesn't support scopes.
• Your OAuth2 provider uses client ids that aren't supported by any available authorization system.
• Your list of client ids and scopes is relatively small.

This context may sound strange, but maybe there's a reason I think this is worth building.

• Maintain a list of allowed scopes and scopes granted to OAuth2 client ids in a database.
• Cache the list in memory on startup.
• Provide admin endpoints to GET, POST, PUT (update), DELETE client id scope grants in the database.
  • On POST, PUT, DELETE, update cache
• Get admin client id(s) from an environment variable.

For development and proof of concept, I'll start with a simple API with a couple of demo endpoints, then build the code and endpoints that use it.

• API: Node, TypeScript, Express
• ORM: probably Prisma (because next point)
• Database: Given the implications of the context, something SQL
  • In my case, Postgres because I already have one handy (in Docker).

• Fastify version
• No-cache option (always read database)
• AuthN features ???
• UI for admin ???
• Alternative to SQL ??? (excuse to dig into micro-database options)
• Admin endpoints to GET, POST, PUT (update), DELETE allowed scopes in the database ???
  • On DELETE, remove scopes from any client id grants.

MIT.

Request, not a requirement: If you use this, port it to some other Node web framework, Java, C#, Carbon, Lua, AAAAAAAAAAAAAA!!!!, whatever, I'd appreciate a credit and a link if possible.