I am building a microservice-based application (services according to DDD) and am in the process of implementing an authorization service. There are API gateways and UI applications that access back-end servers, and they all need to query the authorization service.
Consider an ebay-like app with employees, sellers and buyers. There are users in my system, and each user can have multiple roles, such as: be both seller and buyer. A salesperson can be assigned several users (with several employees). Each employee has their own user ID, but they are assigned the same role (seller ID or buyer ID). Employees also have sub-roles: Sales Managers, Buyers, and Admins.
I'm planning a 3-tier, authorization-based authorization scheme:
- If UI Application: Is the user logged in and does the user ID have permission to view this page?
- If API Gateway: Is the API key valid? (No further exams here)
- Actions (backend services) – Does the user ID have permission to access this command or query on the backend server? (Application level authentication in DDD terms)
- Scope Command: Can the user change this amount of data? Query: Returns the subset of data allowed for this user ID.
Although I would like feedback on all three questions, my question is more about the third. Consider the following scenarios:
- An endpoint to retrieve all sellers in the database. A user with the Staff role and the Admin sub-role can view a list of all sellers. An employee with the Sales Manager sub-role can view a list of all the sellers he manages.
- As above, but change a seller. The seller manager can only change the sellers he manages.
- An endpoint for getting seller information by seller ID. Administrators have access to all IDs. Sales Managers have access to all the seller IDs they manage. Sellers only have access to their own seller ID.
- What's the best way to the API endpoint in the above scenario? For example, should I have a single endpoint for the return of all sellers? Or should I have separate endpoints based on the subroll types? Should I have separate endpoints for "Seller", "Seller Manager" and "Admin" for Scenario 3? There would be duplication, but perhaps more clarity.
- How should the scoping be done? I can have any permission in the authorization service
is_scopedboolean e.g. Permission "list_sellers", & scoped & # 39; = true. When this scope is set, the domain service will somehow detect this and limit the results. But how should that happen?
Any thoughts and suggestions would be appreciated!