Authorization · Case Studies · Software · Solutions

Authorization with User Role and Associate Permissions

I saw many application apply authorization by the way: create many type of user, verify the user type when the feature is executed.

What happen if application have a new user type ? Go through all of the features and edit source code to update the list of valid user type.

How can we make the life more simple? Create user type and associate feature permission with each type. So we have:

  1. User Type 1
    • Feature A: Enable
    • Feature B: Disable
    • Feature C: Enable
  2. User Type 2
    • Feature A: Disable
    • Feature B: Enable
    • Feature C: Enable

Application will verify the user have permission on that feature via the list of permission. Application can add new whatever user type and just config for the permission only without modify any old code.

Authentication · Case Studies · Solutions

Central Authentication Domain

How does many web site your company have? Each site, user maybe using difference password (sometime username also) and remember the link. Some people require SSO and software department implement that. They made an Auth API, call this API for authentication and implement the same boring feature for many sites.

Why don’t you make a separate site for authentication only ? The main site will redirect to authentication site when user not yet login. After user login success (support Oauth2 also), main site will be callback to the main site with a token and using it in whole session. We can make many other sites and using one Auth only.

Reference from OAuth0