C
C#7mo ago
ELENA

Authorization in microservices arch

Hello everyone, I'm quite new to the NET microservices arhitecture and right now I'm implementing a. Net app for learning management and it consists in several microservices and an API gateway - Ocelot . So the authentication is handled in the gateway (bearer token) And for the authorization part I have some concerns: i have a dedicated microservice which holds the users roles permissions and scopes and I was thinking that in the gateway to have a middleware and on each request to fetch the user permissions and scopes and add them in the request header. Then on microservice layer on each controller endpoint i use a dedicated typefilteredattr in which i pass a list of strings and optionally an operator that could be or / and . And in the custom filter in onauthorization method i extract the users permissions and apply the validation logic taking into account the required permissions and the operator that are passed throught the custom attribute. For the gateway i could also implement caching for the user permissions. Could be this a reliable solution . Maybe it s not a good ideea to pass the permissions and scopes in the request header because it could exceed the size limit and i assume that if only the gateway is exposed public there is no risk . What other alternatives do you see or use? Thanks.
2 Replies
Mayor McCheese
Mayor McCheese7mo ago
Caching user permissions is dicey and should be driven by the domain/vertical. Compliance guidance will determine that, example: access to medical records would be immediately revocable.
Mayor McCheese
Mayor McCheese7mo ago
Here is a good overview of authorization handler in asp.net core https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-8.0 The docs call out all authhandlers are AND so if you need OR you're in some customer work land; I'd consider an attribute that the an author handler would consume, but mixing and/or can have undesirable results.
Policy-based authorization in ASP.NET Core
Learn how to create and use authorization policy handlers for enforcing authorization requirements in an ASP.NET Core app.
Want results from more Discord servers?
Add your server
More Posts
✅ I can't get my runButton button to work on a windows form app```cs if (e.KeyCode == Keys.Enter || (e.Modifiers == Keys.None && sender == runButton)) ``` I can sGit and Google Drivenew git user.. it seems to have your local repositories in a google drive controlled file structure ASP.NET CRUD MODALI created a MVC controller with actions (CRUD) and I would like to know, how to modify this pre geneError✅ using from another csprojCurrently i have 2 projects, an api app and a worker service app And both use the same models. Is thJavascript not working on my MVC projectI'm learning front end tutorials at the moment so I'm totally new to designing websites. _Layout.cs