Resource based authorization done in API gateway, how to filter resources based on permissions in API?

Damian Nizio 0 Reputation points

Hello. I have created services, which are edge-authorized on API Gateway. In theory, my services should know nothing of authorization.

Now, If i get permissions for let's say /resources/1 this is easy, as i can just enforce permit.

But what if my endpoint is /resources and i would like it to retrieve user's only permission?
Would i need to propagate permissions from api gateway to my specific service?

How to model system like this? Is there any better way to do this, or just ditch permissions in api gateway and move them to my services, so coarse-grained authz would happen on api gateway (Roles can access some endpoints, some not), while resource-based (Fine-grained authz) would happen in services?

A set of technologies in the .NET Framework for building web applications and XML web services.
4,240 questions
{count} votes