We are developing back-office user application with lots of screens which interacting with lots of REST API's. In OAUTH, most of the tutorials are showing how to authorize an API by getting details from jwt and use it check whether to allow or decline (policy decision point) request. But most of the companies have 1000's API's to deal with and cant carry all the information, if we have 1 role for each API jwt can be very heavy to carry all the information needed for all the API's and also it can be very difficult to write code for each API in tools like OPA / API gatewaty services. How do we get Authorization process can be automated atleast to some level without writing code for each API or without carrying all the information in jwt and so jwt can be very light. I am looking for best practices that followed in big applications.
Asked
Active
Viewed 105 times
0
-
are you saying 1 claim for each API then with 1000 APIs, jwt will have 1000 claims, which is too large? If you can give an example, that might help people understand your problem better. – Alex Jiang Mar 23 '22 at 04:08
-
Sorry it was role, We actually create 1 role per API and assign a role to group and then assign group to user. We configures in a way that jwt will carry all the roles assigned to a user. And if user should be able to call 1000 APIs then the jwt will be carrying 1000 roles. And so when we do authorization we check if jwt carries a particular role to call an API. We didnt find much better way to handle API identification. – nani21984 Mar 23 '22 at 05:38
-
Assigning a role for each API seems not a good way to me. Can you group the 1000 APIs to 10 groups so that you will only have 10 roles? – Alex Jiang Mar 23 '22 at 20:35