1

We are building an application where the content i.e. data and files would need granular user access the way role and policy works. We use oAuth2 and OpenID connect using one identity provider.

My question is about the possibility of leveraging a platform or AWS Cloud service where this type of granular authorization is available. I don't want to build custom authorization matrix within my application, rather I prefer to use an API of a service and user role/policy for further actions.

When it comes to using scopes from OpenID connect, they are more suitable for defining API level of access.

Maria Ines Parnisari
  • 16,584
  • 9
  • 85
  • 130
Atul
  • 125
  • 1
  • 2
  • 6
  • To my knowledge, AWS doesn't have a service that provides fine-grained authorization. But there are other companies that do. For example: Auth0 offers Sandcastle (currently in developer preview): https://learn.sandcastle.cloud/. – Maria Ines Parnisari Oct 06 '21 at 04:03

1 Answers1

0

I would start with your requirements, such as users only being able to only see their own data. Fine grained authorization is typically managed via claims in tokens, which can be highly dynamic when required.

See this Claims Best Practices article for some details. It mentions some specialist authorization systems also.

Cloud solutions may at times be more focused on infrastructure security whereas OAuth deals with application and user level security.

Having said that, defining resource policies as JSON documents like AWS does could be a useful declarative technique to complement claims. At runtime you could then compare a claim from a token, eg a role, against the resource policy to see if the user should be granted access.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • I think I did not mention role and policy here in right way. Agree, at AWS they are used for resource access, I am looking similar mechanism at application level. Basically there would be different roles within the application where each of the role can access certain type of documents and web pages. This can be implemented using custom table structure for maintaining that granular and flexible authorization. Here I want to get it as service or customizable platform rather than developing. You gave me good pointers related to claims, let me read in details and will update you. – Atul May 05 '21 at 12:42