Authorization in microservices arch
Hello everyone, I'm quite new to the NET microservices arhitecture and right now I'm implementing a. Net app for learning management and it consists in several microservices and an API gateway - Ocelot . So the authentication is handled in the gateway (bearer token)
And for the authorization part I have some concerns: i have a dedicated microservice which holds the users roles permissions and scopes and I was thinking that in the gateway to have a middleware and on each request to fetch the user permissions and scopes and add them in the request header. Then on microservice layer on each controller endpoint i use a dedicated typefilteredattr in which i pass a list of strings and optionally an operator that could be or / and . And in the custom filter in onauthorization method i extract the users permissions and apply the validation logic taking into account the required permissions and the operator that are passed throught the custom attribute. For the gateway i could also implement caching for the user permissions. Could be this a reliable solution . Maybe it s not a good ideea to pass the permissions and scopes in the request header because it could exceed the size limit and i assume that if only the gateway is exposed public there is no risk . What other alternatives do you see or use? Thanks.
And for the authorization part I have some concerns: i have a dedicated microservice which holds the users roles permissions and scopes and I was thinking that in the gateway to have a middleware and on each request to fetch the user permissions and scopes and add them in the request header. Then on microservice layer on each controller endpoint i use a dedicated typefilteredattr in which i pass a list of strings and optionally an operator that could be or / and . And in the custom filter in onauthorization method i extract the users permissions and apply the validation logic taking into account the required permissions and the operator that are passed throught the custom attribute. For the gateway i could also implement caching for the user permissions. Could be this a reliable solution . Maybe it s not a good ideea to pass the permissions and scopes in the request header because it could exceed the size limit and i assume that if only the gateway is exposed public there is no risk . What other alternatives do you see or use? Thanks.
