Questions tagged [authorization]
The authorization tag has no summary.
184 questions
1
vote
1
answer
215
views
Prevent unregistered users from accessing the system using JWT?
I am working on an identity and users service in a microservices system for which a passwordless, SMS-based authentication is a hard requirement, i.e.
User enters their phone number
System sends the ...
- 227
3
votes
1
answer
702
views
RBAC vs PBAC vs ACL
I’m trying to clarify the difference between Role-based Access Control, Policy-based Access Control, and Access Control List when designing an authorization system.
I have two scenarios:
Scenario A
I ...
- 43
4
votes
3
answers
228
views
Achieving Multitenancy with an External Identity Provider
We are designing a backend system for a large platform where users can interact with multiple products on behalf of different companies.
We plan to use Keycloak as an external identity provider. The ...
- 165
2
votes
3
answers
426
views
Handling authorization and authentication with an API gateway
Recently, I’ve found myself designing a microservices system, and I’m currently facing some challenges with authentication and authorization.
Context
All my microservices will be placed behind an API ...
- 165
3
votes
2
answers
327
views
Microservices blindly trusting anything due to network segmentation?
So I just fell in a project where microservices are inside private subnets and therefore aren't reacheable through the internet.
There is a balancer that can reach this microservices and this balancer ...
- 219
4
votes
1
answer
180
views
Next Auth Flow For Use with Ruby on Rails API
I plan to have a frontend web app written with Next.js using the AuthJS library to provide user authentication using Oauth. This frontend application depends on a backend API. I want to make sure my ...
- 149
0
votes
2
answers
185
views
Prevent download of static files referenced only from pages a user is not authorized to access
Let's say a user is authenticated to a website and can access a given page only if authorized to access it specifically, e.g. if the website has only these 2 pages
https://my-classified-docs.com/page=...
- 121
0
votes
1
answer
294
views
How to design permission-based authorization for individual resources for individual users?
I need to design a system that handles multiple types of resources, each having their own business logic and different types of actions available for those resources. The requirements are a natural ...
0
votes
1
answer
171
views
Authorization business logic on claims or on app database?
Context: I have an API (using DDD) with an entity lets call it "Content" that only can be update by certain users.
For example Content with Id = 1, can only be modified by User Id = 1, ...
0
votes
0
answers
119
views
Avoiding conflicts with Microsoft Two-factor authentication across multiple web applications help
I'm designing a web application and using Microsoft's out of the box Identity and its default Two-Factor Authentication (with Asp.net core MVC and .NET 8). While setting up and testing the 2FA ...
- 147
1
vote
2
answers
227
views
Access Token Or Alternative for Microservices For Resource Level Granular Checks
Hi I have following structure :
Client App (layer 1)
Business logic Services ( Layer 2)
Business Logic layer consists of many microservices . Access token can be created and passed from APP layer to ...
- 17
4
votes
1
answer
958
views
In a web application, should "private" user images be protected with authentication/authorization?
When creating a web application that will allow users to upload images and mark them as private, should those images be protected by authentication and authorization mechanisms against access by other ...
- 185
0
votes
1
answer
551
views
Efficient API pagination with external authorization service?
Let's say we want to return a paginated list of document id that a user can view. In DB, we have:
doc_id
user_id
ABC
user_1
def
user_1
...
...
We use an external authorization service, so we can query ...
- 139
1
vote
0
answers
213
views
OpenID Connect and User Management Best Practices
Currently my company has 2 applications that use Identity Server for SSO. Not every client we have uses both applications but some do. The part I'm uneasy about is that both apps have a user ...
- 146
0
votes
2
answers
426
views
How to best protect a public API from unwanted requests
I’ll try my best to explain, but for the closest context I could think of, imagine that I am building an analytics platform that allows paying users to sign up, place a tracking script on their ...
- 121