Hello,
I have an app where users can access informations about some entities.
I need to restrict access to the api so that users can only access entities that are assigned to them.
I also need admins to easily assign entities to users.
Should I handle that in my app with a database of which entities users are able to access or should I handle that on the okta side, and if so, how can I do it ?
Thanks in advance.
Sounds like an authorization use case.
You may want to look into doing something like using group membership to determine if a user is allowed access to a protected resource by securing said resource using OAuth. That way, from Okta, you could get a list of the groups the user is a member of (say, one group for admins and individual groups for each entity) and on your application/resource server, wall access to these resources by ensuring that the user is a member of the required group(s). Then the only thing you would need to manage for each user is to make sure they are a member of the appropriate groups.
Some blog posts that discuss doing something like this is as follows (some of them are a little older, but discuss the same strategy I’m trying to describe):
https://developer.okta.com/blog/2017/10/13/okta-groups-spring-security
https://developer.okta.com/blog/2017/10/27/secure-spa-spring-boot-oauth
https://developer.okta.com/blog/2017/10/04/aspnet-authorization
Hint: you can likely find other similar blog posts by looking for phrase like ‘secure’ and ‘authorization’
My api serve information about some agencies.
I need to secure my api so that users can only request informations about agencies that are assigned to them.
Agencies need to be individually assigned to each user.
I can’t make a group for each agency beacause I would need to manually create a group for each new agency and there would be too many groups.
My api is already secured with group authorization but I need to check if a user can acess information about an agency.
Thanks for your answer.
I maybe found a solution but I don’t know if it’s how I should do it.
I created a custom user specific profile attribute which is a number array.
From a custom front-end admin console, I’m gonna set this attribute to the list of ids that a user can access.
I then created a custom access token claim that is mapped to the value of my attribute.
In the spring api code, I check if the user can access information about this agency by checking if the id is in my custom claim.
Is this a good solution ?
Thanks in advance.