1.
Claim Based Authorization
·
Token Validation: As requests come into the
Ocelot API Gateway, the first step is to validate the JWT token issued by FAMS.
This validation checks the token's integrity and authenticity.
·
Fetch User Claims: Once the token is validated,
Ocelot should then communicate with the admin microservice to retrieve specific
claims related to the user's roles and permissions. This is crucial for
implementing fine-grained access control based on the roles associated with the
token's user.
·
Validate Token
o custom
middleware in Ocelot to intercept incoming requests. Extract the JWT token from
the Authorization header. Validate the token’s signature, issuer, and
expiration using FAMS's KID (Same as H2M token validation strategy).
·
Retrieve User Claims
o After
successful token validation, extract the user identifier from the token (claim
that identifies the user).
o Make
an API call from Ocelot to the admin microservice, passing the user identifier
to fetch the corresponding roles and permissions.
o The
admin microservice should respond with the necessary claims which define what
actions the user is authorized to perform.
·
Enforce Authorization
o Utilize
the fetched claims to enforce authorization policies within Ocelot. This can be
done through route rules in Ocelot configuration.
o Based
on the claims, decide whether to forward the request to downstream services or
reject it.
·
Caching
o
Caching roles and permissions in Ocelot if they
do not change frequently, to reduce the number of requests to the admin
microservice.
2. Cross Zone Authorization
Users who are
allowed to make a cross zone call will have a role defined in admin
microservice (or in IAM). That scope will be added
to the authorization header which can then be used in make cross zone api call
else reject in its own zone
For cross zone
call, add custom claim Boolean flag indicating cross zone access.
·
Ocelot receives cross zone request with role, extracts
the JWT token.
·
Forwards the token to authorization service.
·
Authorization service validates the token and
check cross zone permission.
·
Authorization service will allow/deny the request.
