vendredi 29 septembre 2017

Designing Token Based Authorization Server Request/Response

Identity in our services are based on a token stored in a database. This are acquired by the client by logging in with a user name and password.

Each time a resource is requested, we plan to validate the token and determine if the user is authorized to access that resource.

Our services are deployed separately, and the authorization server can be reached via http.

What's the best practice/common way in authorizing the requests?

Sending token with requested permission and role

I was thinking of passing in the token with the role and requested permission of the user in the token validation request to the authorization server.

{
 token: 'xyz',
 role: 'ROLE_ADMIN',
 permission: 'SAVE_USER'
}

and respond with: 200 for success, 401 for invalid token, 403 if they are not authorized to use the permission.

Sending only the token in authorization request

Another approach in mind is sending just the token in the token in the token validation request to the authorization server.

{
 token: 'xyz'
}

and respond with all the permissions and roles the user have:

{
 roles: ['ROLE_ADMIN', 'ROLE_USER'],
 permissions: ['SAVE_USER', 'DELETE_USER', 'SHOW_USER']
}

Which of these are more advisable? Or are there any other/patterns approaches I can consider?

Aucun commentaire:

Enregistrer un commentaire