• Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login
FusionAuth
  • Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login

Secure APIs

Scheduled Pinned Locked Moved Solved
General Discussion
2
3
3.1k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Y
    Yohan
    last edited by 22 Jul 2022, 12:57

    Hi everyone,

    I'd like some advices about securing APIs with FusionAuth. Here's the environment:

    We have multiples microservices with APIs (JSONAPI) requiering OpenID access token. All applications using those APIs and the OpenID provider are homemade.
    Tricky part, we have read/write permission AND data filtering for users.
    We call "resources" the filtering strategies (ex: AllClient, MyClient, ProducedClient, etc.). Most of the time, they use user's property to filter data. Our authorizations are combinations of read/write, resource and user (or group of users)

    The plan is to migrate to FusionAuth (you guessed it) and add a gateway to handle security. We already installed Kong gateway and wrote a plugin to verify the access token and transform request, block paths, etc. User's properties are stored in FusionAuth user model and populated in claims (lambda involved here), but we're missing resources.

    We created an Entity/Type for the gateway and used permissions to declare resources and read/write combinations (MyClient:Read, MyClient:Write, etc.). Really cool thing, we can give access to external workflow applications (n8n and others) with client credential by adding an entity, add properties and grant permissions to gateway's entity. Correct scope in auth request should add permissions into access token, .

    Problem is, I can't do the same thing with users. I can grant permissions to gateway's entity, but it won't fill permissions in access token as it does in previous case, only roles are taken into considerations. Poor solution is to call FusionAuth's entity API in a lambda and fill permissions manually, but it feels like I'm doing something wrong (and maybe because starter edition does not include request capability in lambda 🙄 ). Adding resources in user's data would be a shame. Any ideas ?

    Please tell me your feelings about how we use FusionAuth. Thx!

    D 1 Reply Last reply 16 Aug 2022, 03:16 Reply Quote 1
    • D
      dan @Yohan
      last edited by 16 Aug 2022, 03:16

      @Yohan

      Poor solution is to call FusionAuth's entity API in a lambda and fill permissions manually, but it feels like I'm doing something wrong

      This would be the recommended solution right now, but you are right that this functionality isn't included in the starter edition.

      You could put the resources a user has access to in the user.data field. This was commonly done before Lambda HTTP Connect was built.

      The only other way I've seen it work is to have a secondary server which takes a JWT from FusionAuth, examines grants and other data, and re-issues the JWT (possibly using the vend API).

      Hope that helps.

      --
      FusionAuth - Auth for devs, built by devs.
      https://fusionauth.io

      1 Reply Last reply Reply Quote 0
      • Y
        Yohan
        last edited by Yohan 13 Sept 2022, 12:48

        Hi dan,

        Thanks for the reply, I ended up storing permissions in the user.data field.

        I hope you'd consider adding the "entity grants to permissions" of the client credential flow in the authorization code flow in a future release, entity fits many needs and may ease integration.

        We appreciate FusionAuth is very flexible, you're doing a great job 👏

        1 Reply Last reply Reply Quote 0
        • Y Yohan has marked this topic as solved on 14 Sept 2022, 09:34
        • First post
          Last post