Skip to main content

Senior Software Engineer - Identity & Authorization Platform

ClickhouseEMEAToday
RustSecurity & IdentityPythonTypeScriptClickHouseAWSGCPAzure
Apply Now →

Job Description

The Platform Auth team’s goal is to support our ‘one customer identity’ vision by providing tools, processes, and expertise for our engineering teams to create a unified access management experience while simplifying and standardizing engineering patterns in the space. We are looking for engineers to join our growing team! 

What you will be doing:

  • Design and build the platform services that power authentication, authorization, and audit across ClickHouse Cloud. This includes a unified RBAC/ReBAC service, token issuance and session handling, and the SDKs that product teams embed to make authorization decision.

  • Model permissions and access control primitives (resources, roles, relationships, policies) that work across ClickHouse, SQL Console, ClickPipes, and HyperDX. Ship the libraries and APIs that other engineers build against.

  • Implement protocol-level support for SAML, SCIM, OIDC, OAuth2, and MFA/passwordless flows. Own the integrations that make enterprise SSO and provisioning work end to end.

  • Build the audit and authorization-decision telemetry pipeline so every access decision is observable, queryable, and surfaceable to customers.

  • Partner with product engineering teams to migrate bespoke per-product auth implementations onto the shared platform, and design APIs that make adoption straightforward.

  • Carry the platform on-call rotation and own production reliability for systems on the critical path of every customer request.

What you bring along:

  • Minimum 4+ years building production backend systems at scale. Comfort with at least one systems language (Go, Rust, C++) and one application language (TypeScript, Python).

  • Hands-on experience designing and implementing an authentication or authorization service. Examples include building a token issuer, an OIDC or OAuth2 provider, a policy engine, a permissions model, or an FGA/ReBAC system in the style of Zanzibar, OpenFGA, SpiceDB, or Cedar.

  • Working knowledge of SAML, SCIM, OIDC, and OAuth2 at the protocol level and are able to implement them.

  • Experience designing APIs and SDKs that other engineers depend on, with strong opinions on what makes them adoptable.

  • Experience operating distributed systems at scale, including caching strategies, consistency tradeoffs, and multi-region concerns.

  • Familiarity with identity vendors (Auth0, WorkOS, AWS/GCP/Azure IAM) as building blocks you've extended or integrated into a larger platform.

  • Strong production debugging instincts and a high bar for systems that are easy to develop against.

Bonus:

  • You've built or contributed to a Zanzibar-style authorization system, or run an OpenFGA or SpiceDB deployment beyond the demo.

  • You've designed a multi-tenant permission model that survived real customer requirements like custom roles, hierarchies, delegation, and ABAC attributes.

  • You've shipped an SDK that product teams across an org actually adopted, and have opinions about why most internal SDKs fail.

Source: AshbyView original listing →
The Rusty Bucket
Weekly curated Rust jobs delivered to your inbox.