Extended user authorization per Application #63
Description
Actually Admin UI has only one level of authorization:
services.AddAuthorization(options =>
{
options.AddPolicy(AuthorizationConsts.AdministrationPolicy,
policy => policy.RequireRole(AuthorizationConsts.AdministrationRole));
});
There is need to provide access to Admin UI for users on Client Applicatiion level.
UserA has access to administrate App1, App2
UserB has access to administrate App1, App4, App5
Authorization must restrict user access in views to see only related to his application Client configurations, Stored Grants, Logs, Audit info etc.
What to do with application specific users is an open question.
I would suggest dynamic filters approach on DAL level
http://entityframework.net/ef-dynamic-filters
f.e Conditionally Enabling Filter could looks like that:
modelBuilder.Filter("HasClientId", (IHasClientId) => UserHasClientAppAdminClaim(d.ClientId));
- where UserHasClientAppAdminClaim will check if exists from UserClaimsPrincipal 'application-admin' claim with ClientId.
For the Clients list view filter will be applied multiple WHERE IN (c1, c2, c3) filter.
Second level Authorization feature must be toggable with feature flag from AppSettings.json.