FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Secure APIs

    Scheduled Pinned Locked Moved Solved
    General Discussion
    2
    3
    3.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      Yohan
      last edited by

      Hi everyone,

      I'd like some advices about securing APIs with FusionAuth. Here's the environment:

      We have multiples microservices with APIs (JSONAPI) requiering OpenID access token. All applications using those APIs and the OpenID provider are homemade.
      Tricky part, we have read/write permission AND data filtering for users.
      We call "resources" the filtering strategies (ex: AllClient, MyClient, ProducedClient, etc.). Most of the time, they use user's property to filter data. Our authorizations are combinations of read/write, resource and user (or group of users)

      The plan is to migrate to FusionAuth (you guessed it) and add a gateway to handle security. We already installed Kong gateway and wrote a plugin to verify the access token and transform request, block paths, etc. User's properties are stored in FusionAuth user model and populated in claims (lambda involved here), but we're missing resources.

      We created an Entity/Type for the gateway and used permissions to declare resources and read/write combinations (MyClient:Read, MyClient:Write, etc.). Really cool thing, we can give access to external workflow applications (n8n and others) with client credential by adding an entity, add properties and grant permissions to gateway's entity. Correct scope in auth request should add permissions into access token, .

      Problem is, I can't do the same thing with users. I can grant permissions to gateway's entity, but it won't fill permissions in access token as it does in previous case, only roles are taken into considerations. Poor solution is to call FusionAuth's entity API in a lambda and fill permissions manually, but it feels like I'm doing something wrong (and maybe because starter edition does not include request capability in lambda 🙄 ). Adding resources in user's data would be a shame. Any ideas ?

      Please tell me your feelings about how we use FusionAuth. Thx!

      danD 1 Reply Last reply Reply Quote 1
      • danD
        dan @Yohan
        last edited by

        @Yohan

        Poor solution is to call FusionAuth's entity API in a lambda and fill permissions manually, but it feels like I'm doing something wrong

        This would be the recommended solution right now, but you are right that this functionality isn't included in the starter edition.

        You could put the resources a user has access to in the user.data field. This was commonly done before Lambda HTTP Connect was built.

        The only other way I've seen it work is to have a secondary server which takes a JWT from FusionAuth, examines grants and other data, and re-issues the JWT (possibly using the vend API).

        Hope that helps.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • Y
          Yohan
          last edited by Yohan

          Hi dan,

          Thanks for the reply, I ended up storing permissions in the user.data field.

          I hope you'd consider adding the "entity grants to permissions" of the client credential flow in the authorization code flow in a future release, entity fits many needs and may ease integration.

          We appreciate FusionAuth is very flexible, you're doing a great job 👏

          1 Reply Last reply Reply Quote 0
          • Y Yohan has marked this topic as solved on
          • First post
            Last post