I'm not quite certain I follow. I understand you're saying i should use a combination of Claims and Role-based authorization, but where would each part be checked? I'll try to elaborate.
Let's use the example I have described above. As I am building a WebAPI, with the expectation that an authenticated user is attempting to obtain a list of Widgets that they have to work with for some reason.
If this was a simple request for a single user, I could make a WidgetController.cs class, with an HttpGet attribute and check for a Role that permits access to Widgets.
But, in my case, the list of Widgets needed is based upon authentication:
- A StandardUser would get all of the Widgets from their factory
- A RegionalManager would get all of the Widgets from their region (many factories)
- A GlobalAdmin would get all of the Widgets from the whole company.
- There are edge cases where a specific user would need access to factories not normally associated with their role
Is the suggestion having a Role for each factory? If so, where should the AuthZ check be? If I make middleware, we somehow need to know the factoryId related to the request. Putting a factory in a header seems kludgy, so we'd need to possibly be consistent with a Query String variable and grab that value of that parameter in the middleware?
You mention claims - how do you envision a claim appearing for each type of user? And where would these claims get populated? If it's Azure AD, we might end up having hundreds of factories, which would mean 100s of claims.
Can you elaborate a bit more, please? Thx