Flexible Authentication and Authorization
I have done research for quite sometime now but could not find much resources on these topics. What I would like to achieve is this:
- I would like to be able to create permissions at runtime and assign those permissions to a per user level and not Role level.
- These permissions are for each of the endpoints such as for Sales, Customers etc...
- I also want the Authentication be based on JWT tokens because it is going to be used on different clients such as mobile/web (JS Client) which uses the tokens to perform route guard.
If you could suggest ways to achieve the above, or point to resources I would really appreciate it. Thank you.
2 Replies
store claims in the token which list the permissions
you can then check the claims to see if a user may access something or not
use authorization policies if you can enumerate the possible combinations of requirements
if you can't or if it isn't practical, check the claims manually where you need it
Shouldn’t claims just be attributes? Storing the actual permission info there feels dubious to me.