Questions tagged [authorization]
The authorization tag has no summary.
184 questions
1
vote
1
answer
217
views
Prevent unregistered users from accessing the system using JWT?
I am working on an identity and users service in a microservices system for which a passwordless, SMS-based authentication is a hard requirement, i.e.
User enters their phone number
System sends the ...
- 227
3
votes
1
answer
703
views
RBAC vs PBAC vs ACL
I’m trying to clarify the difference between Role-based Access Control, Policy-based Access Control, and Access Control List when designing an authorization system.
I have two scenarios:
Scenario A
I ...
- 43
4
votes
3
answers
228
views
Achieving Multitenancy with an External Identity Provider
We are designing a backend system for a large platform where users can interact with multiple products on behalf of different companies.
We plan to use Keycloak as an external identity provider. The ...
- 165
2
votes
3
answers
426
views
Handling authorization and authentication with an API gateway
Recently, I’ve found myself designing a microservices system, and I’m currently facing some challenges with authentication and authorization.
Context
All my microservices will be placed behind an API ...
- 165
3
votes
2
answers
327
views
Microservices blindly trusting anything due to network segmentation?
So I just fell in a project where microservices are inside private subnets and therefore aren't reacheable through the internet.
There is a balancer that can reach this microservices and this balancer ...
- 219
4
votes
1
answer
180
views
Next Auth Flow For Use with Ruby on Rails API
I plan to have a frontend web app written with Next.js using the AuthJS library to provide user authentication using Oauth. This frontend application depends on a backend API. I want to make sure my ...
- 149
0
votes
2
answers
185
views
Prevent download of static files referenced only from pages a user is not authorized to access
Let's say a user is authenticated to a website and can access a given page only if authorized to access it specifically, e.g. if the website has only these 2 pages
https://my-classified-docs.com/page=...
- 121
0
votes
1
answer
294
views
How to design permission-based authorization for individual resources for individual users?
I need to design a system that handles multiple types of resources, each having their own business logic and different types of actions available for those resources. The requirements are a natural ...
0
votes
1
answer
171
views
Authorization business logic on claims or on app database?
Context: I have an API (using DDD) with an entity lets call it "Content" that only can be update by certain users.
For example Content with Id = 1, can only be modified by User Id = 1, ...
0
votes
0
answers
119
views
Avoiding conflicts with Microsoft Two-factor authentication across multiple web applications help
I'm designing a web application and using Microsoft's out of the box Identity and its default Two-Factor Authentication (with Asp.net core MVC and .NET 8). While setting up and testing the 2FA ...
- 147
1
vote
2
answers
227
views
Access Token Or Alternative for Microservices For Resource Level Granular Checks
Hi I have following structure :
Client App (layer 1)
Business logic Services ( Layer 2)
Business Logic layer consists of many microservices . Access token can be created and passed from APP layer to ...
- 17
4
votes
1
answer
958
views
In a web application, should "private" user images be protected with authentication/authorization?
When creating a web application that will allow users to upload images and mark them as private, should those images be protected by authentication and authorization mechanisms against access by other ...
- 185
0
votes
1
answer
551
views
Efficient API pagination with external authorization service?
Let's say we want to return a paginated list of document id that a user can view. In DB, we have:
doc_id
user_id
ABC
user_1
def
user_1
...
...
We use an external authorization service, so we can query ...
- 139
1
vote
0
answers
213
views
OpenID Connect and User Management Best Practices
Currently my company has 2 applications that use Identity Server for SSO. Not every client we have uses both applications but some do. The part I'm uneasy about is that both apps have a user ...
- 146
0
votes
2
answers
426
views
How to best protect a public API from unwanted requests
I’ll try my best to explain, but for the closest context I could think of, imagine that I am building an analytics platform that allows paying users to sign up, place a tracking script on their ...
- 121
2
votes
1
answer
132
views
Is my security pattern correct for authenticating principal users to my microservices?
We are trying to implement an authorization and authentication service for our product.
Now, we would have to cater to different kinds of IAM systems like SSO, LDAP and Basic Username+Password in ...
- 29
0
votes
2
answers
227
views
The best way of preventing unauthorised API use and reducing costs of declining API requests
To best explain my context, imagine that I’m creating an alternative piece of software to google analytics (since my personal project’s principle is similar). Each unique user creates an account and ...
- 121
-2
votes
1
answer
220
views
Where is the advantage to use Auth0 with gRPC?
I have read this example:https://auth0.com/blog/securing-grpc-microservices-dotnet-core/
In this example it explains how to implement authorization in a gRPC service.
It says that the client request a ...
- 633
0
votes
2
answers
293
views
Implement authorization logic also in frontend or send authorization info along with the resource?
We have an ongoing argument in our team. Please help. Here is the problem:
In our SPA web app, let's say we have a resource which can be edited by only those users who belong to the team of the user ...
- 101
1
vote
0
answers
1k
views
Authorization using Azure AD B2C access tokens in Python / Flask
TLDR:
I am trying to
validate a Azure AD B2C access token in my Flask web API
use scopes from that access token to authorize calling protected resources
use timely and secure solutions such as PKCE ...
- 121
0
votes
2
answers
320
views
Should I prevent API calls that I know will fail?
I'm writing a webapp that serves users with different roles and permissions. One of the features of my application requires an API call to a secured endpoint. If the user doesn't have the correct ...
- 113
1
vote
3
answers
432
views
How to split out shared authorization logic across spring microservices
Currently working on a project where we have multiple services that all need to consume the same authorization service when their endpoints are hit. Right now we have the authorization boilerplate ...
- 143
0
votes
1
answer
948
views
RBAC - using database vs hard coded
I need to implement RBAC in a project I'm working on, and I'm fairly new to the concept. I am trying to figure out the best way to implement it.
The most common approach seems to be to create roles ...
- 149
1
vote
1
answer
409
views
SwiftUI View permissions best practice?
I am currently developing an iOS application where there are options on the screen to edit and delete a list. Only the user who created this list can edit or delete it. I am struggling to determine ...
- 17
0
votes
1
answer
713
views
BFF/Gateway authorization pattern for other microservices
I'm starting a project using Azure as our serverless framework.
The project consists of two separate frontends applications that must talk to some backend services, some will be made by me and others ...
- 103
2
votes
4
answers
3k
views
How does one differentiate between a feature flag and an authorization role?
I'm working on moving some of our flags to a 3rd party system but I kinda have a hard time, determining what should be a feature flag and what should remain as authorization permission to a particular ...
- 121
3
votes
1
answer
2k
views
What's the difference between policy vs permission based access control?
I am newbie at these stuff and while I was able to distinguish between role-based vs. policy-based authorization models, I can't seem to understand whether there is one between policy-based vs. ...
- 141
2
votes
0
answers
249
views
What is the benefit of performing authn/authz at the API gateway instead of at the service?
I want to know is if we should perform authentication at the API gateway, at the individual service, or both.
Let's frame this question and descussion in the context of new development. Specifically, ...
- 249
6
votes
1
answer
2k
views
Should user and service-to-service authentications be separate?
Say I have a system with 5 microservices behind a gateway, and a user signs in through an IDP (OAuth)
A user U passes the access token in a request, and the call first reaches the gateway before it ...
- 171
1
vote
0
answers
599
views
Authorization and Cross-Cutting Concerns in DDD (CQRS) - Filtering Data
We are currently in the early phases of developing several applications that differ significantly in their functionality. As part of building these applications, we have also developed a few generic ...
- 59
0
votes
1
answer
562
views
Can I store a refresh token in a queue?
We have a standard microservices setup (Identity Server, API Gateway, services, etc).
Some of the services schedule events to be dispatched in the future (future = anything from mins to months ahead) -...
- 143
0
votes
1
answer
472
views
Enriching JWT after OpenID Connect flow
I am struggling to find a good solution for authorization of users after they were properly authenticated through an oidc flow. Let's assume the following setup:
An angular SPA is interacting with ...
- 163
1
vote
0
answers
46
views
Automatic interaction between API and secured 3rd party API
I would like to create GUI + API that calls third party API as follows:
third party API is consumed once a day by my API,
GUI user doesn’t have to log in every day (eg. can log in only once every 30 ...
- 11
1
vote
2
answers
602
views
How to implement authorization in a microservices architecture?
I'm looking for a way to avoid centralized management of authorization rules. I'd like every microservice to be responsible for the authorization logic of its actions, but I'm having some trouble ...
- 119
1
vote
2
answers
651
views
Where to store credentials for a tird-party API in my API?
So my current app process works like this:
Client communicates with my API to get certain information
My API needs information from a third-party API and uses these to create a response for the ...
- 137
0
votes
2
answers
666
views
How to implement authorization that needs to be done in the same transaction as aggregate method runs in (DDD)?
Generally most of the authorization in the system is done in authorization layer which then calls commands/queries from application layer, which call methods on domain aggregates. However there are ...
- 141
2
votes
1
answer
2k
views
Refresh tokens by example using Angular and Spring Boot
I am designing out an app that would have an Angular frontend and Spring Boot (Java) backend.
I was considering (but not married to) the prospect of JWT-based authentication:
User logs in with ...
0
votes
0
answers
99
views
Design time based job scheduler
Currently, I have a script
install_crontab.py -u <user> -c <config>
This script takes care of installing cron job that runs as a given user. In my install_crontab script, I check (using ...
- 119
2
votes
2
answers
179
views
Authenticate users (REST-API)
What I'm trying to build
REST-API using Express and SQLite
5 to 10 authors should be able to post articles to /articles
except them, no one is allowed to post anything
My approach to build it
...
- 129
2
votes
2
answers
759
views
What are the best practices to authorize every REST request?
My question may sound very naïve to someone, but it is what it is.
I have below scenario:
Relational MySQL Database with BIGINT primary keys and foreign keys
Spring boot as a backend (technology ...
1
vote
1
answer
103
views
Authentication-as-a-Service (Auth0) and retrieving user profiles for many different users
For my recent project I decided to leverage Authentication-as-a-Service, in particular I am using Auth0 but I do not think this particularly matters. I've got my React client set up correctly and I am ...
- 193
3
votes
1
answer
508
views
API AuthN/AuthZ and API Gateway
I have implemented authentication on an API Gateway level using NGINX+ and now I have concern if APIs behind it should still to authenticate using API Keys or JWT? What are best practices?
My point is ...
- 389
2
votes
1
answer
440
views
What identity and/or access data are JWT claims intended for?
I am an application developer and am building a token-based auth mechanism for my application. Essentially, the user will log in with username+password, if the credentials are valid, my code will ...
1
vote
1
answer
308
views
OWASP Broken Access Control by example: preventing user's from reading/writing data that isn't theirs
I have experience building RBAC-based authorization mechanisms, and understand the theory behind ACLs (DAC?) though I've never had the need to implement them.
A situation was just presented to me that ...
1
vote
1
answer
689
views
API pagination with external or centralised authorization
I am building a REST API which would power a front end as well as other 3rd party apps and hence I want it to be as "standard" as possible. Right now, I am trying to stick to HATEOAS. The ...
1
vote
1
answer
2k
views
Token based authentication to multiple API servers
We have a Web server (which also does authentication and authorization) that manages, via an API, one or more servers that contain highly sensitive data. In the below architecture diagram, we manage ...
- 493
1
vote
1
answer
478
views
How to secure messaging-based communication with microservices
I'm comfortable with a lot of OpenID Connect and OAuth2 concepts in the context of HTTP-based communication between microservices. I'm currently leveraging Azure AD.
In the HTTP-based scenario I would ...
- 13
1
vote
1
answer
1k
views
Securing API with JWT and elevated access using MFA
At my company we have a central auth server running IdentityServer. There are a number of applications providing some API to client applications. API requests are authenticated with JWT tokens issued ...
- 119
1
vote
1
answer
327
views
API / System Design [Flexible Authentication / Authorization]?
Background:
We're a smaller shop that puts out a number of products that require
authentication and authorization. We're currently using a 3rd party
service to "spin up new auth APIs" for ...
1
vote
1
answer
687
views
How to handle authentication & authorization inside microservices
Example Application
I will try to explain my problem by using a familiar application.
Lets'say I'm building a Discord / Slack / Microsoft Teams clone; and for simplicity’s sake, it will contain 2 ...
- 173