Is there a reason why software developers aren't externalizing authorization?

I think the prospect of externalize authorization is a much more difficult thing than externalizing authentication (OpenID, CardSpace, etc.). This is mainly due to the fact that authorization is much more application specific. What Person A is authorized to do in my application he may not be able to do in your application, and that's even assuming there's some common parrallel between my application and your's, which most likely there won't be.

I don't want to say that externalizing authorization will never be done, but I honestly have a tough time coming up with reasons why you'd really want to do that. Maybe for a suite of applications that work side by side, but again, that would most likely be supported internally, rather than externally.


Also, remember that authorization !== authentication. Just because a user is authenticated doesn't mean you have solved the authorization part of your site. You still need to determine who gets to do what and when.


The main reason we continue to roll our own is that the options like openid et al are only seemingly supported by tech sites. We're a smaller player, so we won't start using an external provider until such a time that there is a much greater user acceptance.

We don't want the first thing a user has to do on our site to involve going to another site.