Something i have been searching the interwebs on, but not found proper answers.
We are redoing a big legacy system into Micro services, and i am bumping my head into authorization (who is allowed to do what).
We have a backoffice for our different brands in a multi tenant setup. Then we have a brand service and a product service. Users can add products etc. to their brand.
We use ping federate for authentication .
(Admin users have a role which enables them to work on all brands – this is located in the id_token)
Question is: How should i authorize the user to be a part of a Brand in terms of seeing or creating things on the brand, such as a new product. They live in different microservices.
Option 1: I could verify the user when a call comes from client (server side blazor) -> product service (create product) then -> Check if user is allowed to do action in Brand Service,
Option 2: Have the create of a product to go through brand service, verify it, then down to product.
But these two a bit chatty?
Option 3: Let Product service have a notion of who is allowed to do what from brand services. (event driven)
Option 4: Somehow add a notion of brand to the ping federate AD? Though we do onto control that instance, so it would create a big dependency on that other group.
I’d like to keep the domain knowledge close in the services.