oso authorizes Python

Episode Deep Dive

Guests introduction and background

Sam Scott is the technical co-founder of Oso with a PhD in cryptography. He wrote the initial versions of Oso and now leads the engineering team, focusing on authorization and security tooling. Graham Neray is the business co-founder of Oso, previously involved in building and scaling MongoDB. He oversees the company’s growth, marketing, and business operations while sharing product roadmap decisions with Sam.

What to Know If You're New to Python

The conversation centers on a Python library that handles authorization. Having a basic understanding of how Python projects are structured and how packages are installed (e.g., using pip) will help you follow along. Familiarity with Python functions, classes, and how external libraries plug into a web framework like Flask or Django is beneficial. If you need a starting point to learn the fundamentals of Python, consider the resources in the Learning Resources section below.

Key points and takeaways

1. Shifting the Focus to Authorization (AuthZ) Over Authentication (AuthN) The episode highlights a common gap: developers often think about user identity (authentication) but leave out a robust approach for “who can do what” (authorization). Oso is specifically designed to fill that need, making it easy to declare and enforce access rules throughout an application. This ensures consistent checks across every endpoint, minimizing security oversights.
   • Links and tools:
     • Oso Project
2. Policy as Code with Polar Oso uses a domain-specific language called Polar for defining authorization policies. Inspired by Prolog’s logic programming, Polar describes rules such as “who can read what” or “what conditions allow a manager to see specific data” in a concise, human-readable way. Because Polar is declarative, it captures intricate relationships—like managers, sub-teams, or advanced object hierarchies—in just a few lines of code.
   • Links and tools:
     • Polar Language Documentation
3. Separation of Concerns: Identity vs. Access The library clearly separates authentication from authorization. No matter how you validate your users—via usernames, passwords, tokens, or single sign-on—Oso only steps in once you know who they are. This design keeps your security architecture clean and flexible and lets you plug in various identity providers without changing core authorization logic.
4. Built for Web Frameworks like Flask and Django Oso has tight integrations with popular Python frameworks. The conversation features examples where developers can add decorators in Flask or middlewares in Django to handle route-level checks. This “batteries included” approach simplifies the most common scenarios (e.g., ensuring only admins can perform certain actions).
   • Links and tools:
     • Flask
     • Django
5. Advanced Multi-Tenancy and Role Modeling The discussion covers hierarchical and dynamic roles, such as manager-employee relationships within large organizations. With a default “admin or non-admin” system, you’re likely to oversimplify or over-provision. Oso allows complex policies: e.g., “A manager can see all direct reports’ data, but not across departments.” This sophistication scales for enterprise-level, multi-tenant use cases like Slack or GitHub.
   • Links and tools:
     • Slack
     • GitHub
6. Rust for Performance and Cross-Language Support Under the hood, Oso is implemented in Rust for efficiency and safety, binding seamlessly to Python and other languages (Node.js, Ruby, etc.). This cross-platform approach provides a powerful engine that Python code can call into while still maintaining Python’s simplicity. Sam noted this design required a unique “event-driven” handshake between Rust and the Python runtime.
   • Links and tools:
     • Rust
7. Debugging, REPL, and Testing Policies One standout feature is the dedicated REPL and debugger for Polar policies. Developers can load their policy files, run queries, and step through the logic flow. This eliminates guesswork (e.g., “Did I indent my YAML correctly?”) and provides immediate feedback to confirm the rules are enforced as intended.
8. Open Source Community & Business Model Oso is completely open source, which allows developers to integrate authorization without vendor lock-in. For large-scale enterprise deployments—where teams need auditing, policy versioning, or microservices support—Oso plans to offer paid services on top. The model is similar to other open source companies, where the community edition is free, and managed or enterprise solutions help fund its ongoing development.
   • Links and tools:
     • MongoDB, referenced for the open-source-plus-business approach
9. Real-World Use Cases From healthcare (accessing patient records only within certain timeframes) to internal support tools (ensuring no one can post on a celebrity’s Twitter account by mistake), Oso solves the same fundamental question: “Is this request allowed?” The conversation underscores scenarios where failing to implement proper authorization leads to severe breaches or system misuse.
10. Easier Maintenance Over “If” Statements Everywhere Instead of sprinkling permission checks throughout your codebase, Oso centralizes rules in one place. This results in fewer errors, less duplication, and simpler updates when policies evolve. It also lowers friction in code reviews, letting teams rely on a single source of truth for who can access what.

Interesting quotes and stories

“It's one of those, if you do it right, they won't even know it's there.” Emphasizing how great authorization is often invisible to end users—it “just works.”

“We’re in a unique position to see who was authorized for what and at what time.” This points to the deeper insights Oso (and potentially other libraries) can offer for audit logs and traceability.

“If you woke up anyone on the team at night, they’d say ‘developers first.’” Illustrates Oso’s developer-centric ethos, drawing a parallel to Graham’s experience at MongoDB.

Key definitions and terms

• Authorization (AuthZ): Determining what a user can do after they have authenticated.
• Authentication (AuthN): Verifying a user’s identity, such as logging in with a username/password or social login.
• Polar: Oso’s declarative policy language inspired by Prolog, used to define authorization rules.
• Logic Programming: A style of programming where you define what the program should accomplish without detailing how to do it.
• Roles vs. Dynamic Policies: Traditional role-based access tries to group users by permission sets, but Oso’s dynamic approach can model real-world relationships more accurately.

Learning resources

• Python for Absolute Beginners: A comprehensive introduction to Python that teaches you the foundations needed to leverage libraries like Oso.
• Modern APIs with FastAPI and Python: If you’re building APIs in Python, this shows you how to create production-ready endpoints, which is directly relevant to Oso’s use in web backends.
• Full Web Apps with FastAPI: Learn to serve HTML-centric web apps with FastAPI, and consider integrating Oso for authorization.

Overall takeaway

Oso provides a modern, declarative approach to handling the often-overlooked aspect of application security: authorization. By bridging a powerful Rust core and a simple Python API, it helps you keep clean, centralized authorization rules in any Python web framework. The result is more robust security, faster development, and a single source of truth for who can do what in your application.