Also, we do have custom claims (we should publish a spec and register
them at IANA...) for very coarse-grained authorization that amounts to
an application-level firewall logic that lets us isolate workloads by
type (think prod vs QA vs dev, but also other things).
No OAuth library on the server side can get that right today (we'd have
to contribute to them, which, ok, it's doable, but it takes time). This
is one reason that I want to get each claim as a config item I can
access in SQL code.
Nico
--
