Github's authorization model uses a combination of roles and scopes, which makes it hard to pre-compute a user's access ahead of time.
Unlike most developer APIs, authorization is in the critical path of every application request, and requires a different architecture.
Why we started Aserto: the missing developer API for application authorization.
OAuth2 scopes were never intended to be an authorization mechanism, and indeed are a bad idea when used as a substitute for a real authorization architecture.
Authentication is a solved problem. But authorization remains a far bigger problem, and is far from solved.
Five principles that any developer solution for application authorization should adhere to.