Question for y'all regarding authorization in microservice.
My company is moving from monolith to microservices and we are rolling out own AuthN and authZ. For authorization, we are attaching user scopes to the request header and pass it to a service.
In the service we have required scopes which is an array of string. In the middleware we check required scopes against user scopes.
My questions are:
1. Can an endpoint return additional data based on non required user scopes?
2. What should the scope check entail? Just checking against the strings, or should it hold some logic?
3. How do u guys tackle such problem at ur company?
Want to see the real deal?
More inside scoop? View in App
More inside scoop? View in App
blind
SUPPORT
FOLLOW US
DOWNLOAD THE APP:
FOLLOWING
Industries
Job Groups
- Software Engineering
- Product Management
- Information Technology
- Data Science & Analytics
- Management Consulting
- Hardware Engineering
- Design
- Sales
- Security
- Investment Banking & Sell Side
- Marketing
- Private Equity & Buy Side
- Corporate Finance
- Supply Chain
- Business Development
- Human Resources
- Operations
- Legal
- Admin
- Customer Service
- Communications
Return to Office
Work From Home
COVID-19
Layoffs
Investments & Money
Work Visa
Housing
Referrals
Job Openings
Startups
Office Life
Mental Health
HR Issues
Blockchain & Crypto
Fitness & Nutrition
Travel
Health Care & Insurance
Tax
Hobbies & Entertainment
Working Parents
Food & Dining
IPO
Side Jobs
Show more
SUPPORT
FOLLOW US
DOWNLOAD THE APP:
comments
We have in house AuthZ but we have team to 12-13 people for this. It is a difficult problem