I am curious how peers are handling list type queries. Currently I am listing the relation tuples that fit the query, then using all the object id's to make the request to the database. It seems highly inefficient when Oathkeeper handles all my other checks with an authorizer to

relation-tuples/check

, but for list I set the object to

*

and that's my object reference for this type of relation for getting a list of objects from the db.

The alternative would be to get a list from the DB and check permissions on the objects. It depends a bit what permission allowed rate you have. A bulk-check API is an idea we had to make this more efficient. If anyone has alternative approaches, I'd be happy to discuss them as well.

What is "permission allowed rate"?

Basically whether 90% of the objects are allowed, or 0.01% If you load 1000 objects from the DB & check permissions, but only 1 turned out to be allowed, you wasted resources to get & check 999 objects

I see. It seems like in most cases you would want to first check permissions and then load, finding all the objects allowed to load from keto and then getting only those objects.