Hi, I am trying to implement RBAC with Okta. I can see some examples showing RBAC by having Users==> Groups, then adding the groups to the token claims and filter your APIs based on the groups.
However I need one more layer, so it will be something like this:
Users ==> Groups ==> Permissions
Some suggest to implement the Users==> Groups part in Okta and the Groups ==> Permissions part at app level, but this does not suit us as we will have to provide a custom UI to manage the Groups==> Permissions.
One way to achieve what I want is benefiting from the scopes, so we can define custom scopes and make them default in Okta and then create some access policy rules that define which scopes are assigned for each group.
However, that does not work directly as if we send ?scp=openid we will only get openid in the scp claims and we will not get the default claims that we’ve defined. The default claims, will only be used if we send an empty scopes query param in authorization request, but if we do that we will loose OIDC as it needs the openid scope.
Finally my questions are:
Why can’t any base scope be defaulted in Okta authorization server. For example if I was able to make openid a default scope then it would’ve solved my problem.
Is there any expression to return the default scopes for a certain group?
For example I have create the following:
custom scopes: “books.read” and “books.write” I make both scopes default in Okta
access policy rules: Assign “books.read” and “books.write” to anyone in group “books_admin”
Is there an expression to add a claim that outputs the scopes for the user groups regardless what the client have sent in the authorization request.
What is the best way to achieve a 3 layer RBAC (Users ==> Groups ==> Permissions) without having Groups ==> Permissions defined at app level.
Does anyone have an answer to any of the questions? Thanks