With federated security (e.g. OIDC + external identity provider) the owner of the REST API has no control over the user profile, so the owner of the API cannot store any application-specific information (such as user role or claim) in the user profile. That means that on each request the REST API has to retrieve the application-specific user profile with the application-specific user role. Am I missing something?
Asked
Active
Viewed 25 times
0
-
You can use an API gateway coupled with an ABAC authorization engine (e.g. Axiomatics) to do exactly what you are looking for. It decouples authorization from the API's logic. – David Brossard Aug 28 '19 at 13:00
-
An API gateway just moves the problem from the API to the gateway. The gateway still needs to retrieve the application-specific user profile on each request. – isobretatel Aug 28 '19 at 14:43
-
No, the authZ engine would and that's what they're designed to do – David Brossard Aug 28 '19 at 15:05
-
The authZ engine still needs to retrieve the application-specific user profile on each request. No magic. – isobretatel Aug 28 '19 at 16:49
-
Yes true but they are designed to do that – David Brossard Aug 28 '19 at 23:13