With the proliferation of network-based applications, there are often many services running over different network protocols that need to appear as a coherent set of products and/or services to customers and partners, while also providing the developer community with a standard set of services to use as a platform. A primary challenge is obtaining a centralized identity service so that there is a single authentication mechanism that works across all of the subservices to not only identify a user, but to also determine which, if any, services the user is authorized to access, which permissions the user is granted, and what application program interface (“API”) scopes the user may utilize.
Some authorization systems utilize role based-access control schemes that affiliate a user's identity with one or more roles and permissions to control the service the user or client is entitled to use. Role-based access control systems, however, may not be capable of providing fine-grained control over which user can use a specific feature of a service or limit users to specific API calls. Rather, role-based access control systems typically use groups or roles to assign similar permissions to sets of users without the ability to limit or otherwise control scopes on an API level.