Authorization in microservices arch
Hello everyone, I'm quite new to the NET microservices arhitecture and right now I'm implementing a. Net app for learning management and it consists in several microservices and an API gateway - Ocelot . So the authentication is handled in the gateway (bearer token)
And for the authorization part I have some concerns: i have a dedicated microservice which holds the users roles permissions and scopes and I was thinking that in the gateway to have a middleware and on each request to fetch the user permissions and scopes and add them in the request header. Then on microservice layer on each controller endpoint i use a dedicated typefilteredattr in which i pass a list of strings and optionally an operator that could be or / and . And in the custom filter in onauthorization method i extract the users permissions and apply the validation logic taking into account the required permissions and the operator that are passed throught the custom attribute. For the gateway i could also implement caching for the user permissions. Could be this a reliable solution . Maybe it s not a good ideea to pass the permissions and scopes in the request header because it could exceed the size limit and i assume that if only the gateway is exposed public there is no risk . What other alternatives do you see or use? Thanks.
2 Replies
Caching user permissions is dicey and should be driven by the domain/vertical. Compliance guidance will determine that, example: access to medical records would be immediately revocable.
Here is a good overview of authorization handler in asp.net core
https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-8.0
The docs call out all authhandlers are AND so if you need OR you're in some customer work land; I'd consider an attribute that the an author handler would consume, but mixing and/or can have undesirable results.
Policy-based authorization in ASP.NET Core
Learn how to create and use authorization policy handlers for enforcing authorization requirements in an ASP.NET Core app.