Customized access control using OAuth 2.0

by Shubham   Last Updated October 09, 2019 12:05 PM

I'm designing a enterprise infrastructure monitoring application which has customized needs of access control, beyond roles and authorities.

The architecture include multiple nodes of REST API being load balanced, an angular client and an authorization server based on OAuth 2.0 using JWT.

These Rest API nodes are generic and can be run using different configuration properties which will make them work for a different infrastructure which are similar in nature but are separated on the business level. You can think of it as monitoring two different data-centers which are similar in nature but are managed by different group of people due to the scale of infrastructure.

The REST APIs can be run for any of the data-centers by changing some command line arguments.

Then there is an angular client which is made in such a fashion that it can access both of the data-centers' REST API (There is a master dropdown on the top header changing which will basically change the base URL for API hits and hence the datacenter) based on the authorities that signed in user have.

Now the problem part is access control using OAuth 2.0. There are three levels of access control required

  • Level 1: Datacenter level
  • Level 2: Dashboard level
  • Level 3: Action (on a Dashboard) Level

So the use cases may include many situations like:

  1. A user having access to a datacenter 1 but not to datacenter 2
  2. A user having access to a particular datacenter but not to a dashboard in that datacenter
  3. A user having access to a particular dashboard in datacenter 1 but not in datacenter 2
  4. A user having read access to a particular dashboard but not able to modify anything on that dashboard on datacenter 1 but can modify the same things for datacenter 2

To handle all these scenarios, the angular client will require every user's scope of access so that it can choose to show/hide and restrict access to a particular dashboard or action.

Now the question comes is that many of these access scopes are associated with a web client (angular client in our case) and not directly related to the REST API i.e. many of the authorities that I will be defining will be helpful for the angular client but won't make any sense to any other client (for ex. a python client).

How can I handle such client specific scenarios on the authorization server. Am I thinking in the right direction or do I need to change my perspective?

Related Questions

Updated December 14, 2017 17:05 PM

Updated December 14, 2017 12:05 PM

Updated May 03, 2019 17:05 PM