ClickHouseRemote
Senior Software Engineer - Identity & Authorization Platform
United States of America
Full Time
3 weeks ago
$141,000 - $208,000 USD
H1B Sponsor Likely
Key skills
GoRustC++TypeScriptPythonAuthentication service designAuthorization service designToken issuanceOIDCOAuth2SAMLSCIMMFAPasswordless authenticationRBACReBACPolicy enginePermissions modelFGAZanzibar-style authorization systemOpenFGASpiceDBCedarAPI designSDK designDistributed systems operationCaching strategiesConsistency tradeoffsMulti-region systemsIdentity vendor integrationAuth0WorkOSAWS IAMGCP IAMAzure IAMProduction debuggingCSQLAWSAzureGCPIAMSSOCaching
About this role
ClickHouse is one of the most innovative and fast-growing private cloud companies, recognized on the 2025 Forbes Cloud 100 list. The Senior Software Engineer will design and build platform services for authentication and authorization, ensuring a unified access management experience across the company's cloud offerings.
Responsibilities:
- Design and build the platform services that power authentication, authorization, and audit across ClickHouse Cloud. This includes a unified RBAC/ReBAC service, token issuance and session handling, and the SDKs that product teams embed to make authorization decision
- Model permissions and access control primitives (resources, roles, relationships, policies) that work across ClickHouse, SQL Console, ClickPipes, and HyperDX. Ship the libraries and APIs that other engineers build against
- Implement protocol-level support for SAML, SCIM, OIDC, OAuth2, and MFA/passwordless flows. Own the integrations that make enterprise SSO and provisioning work end to end
- Build the audit and authorization-decision telemetry pipeline so every access decision is observable, queryable, and surfaceable to customers
- Partner with product engineering teams to migrate bespoke per-product auth implementations onto the shared platform, and design APIs that make adoption straightforward
- Carry the platform on-call rotation and own production reliability for systems on the critical path of every customer request
Requirements:
- Minimum 4+ years building production backend systems at scale
- Comfort with at least one systems language (Go, Rust, C++) and one application language (TypeScript, Python)
- Hands-on experience designing and implementing an authentication or authorization service
- Working knowledge of SAML, SCIM, OIDC, and OAuth2 at the protocol level and are able to implement them
- Experience designing APIs and SDKs that other engineers depend on, with strong opinions on what makes them adoptable
- Experience operating distributed systems at scale, including caching strategies, consistency tradeoffs, and multi-region concerns
- Familiarity with identity vendors (Auth0, WorkOS, AWS/GCP/Azure IAM) as building blocks you've extended or integrated into a larger platform
- Strong production debugging instincts and a high bar for systems that are easy to develop against
- You've built or contributed to a Zanzibar-style authorization system, or run an OpenFGA or SpiceDB deployment beyond the demo
- You've designed a multi-tenant permission model that survived real customer requirements like custom roles, hierarchies, delegation, and ABAC attributes
- You've shipped an SDK that product teams across an org actually adopted, and have opinions about why most internal SDKs fail