We have a single sign on requirement where we want fine grained programmatic control over access to SPA applications with their own API’s.
When we create a user we want to set which application(s) it has access to.
In some instances an admin account will have access to all applications where are some users will only have access to one application. It looks like there is no way of specifying which applications a user has access to through the Management Api.
Whats the best way of achieving this?
Connections:
These look like they are only useful when tying a user to a set of applications and you can only have one connection per user. Given the number of applications we will have its not practical to have a connection for every combination of applications a user may need access to.
Tenants:
This won’t work as we will have a large number of applications and want to share users between them.
Claims:
We could store the list of applications the user has in AppMetadata (Apps[‘app1’, ‘app2’, ‘app3’]) then use a rule to turn these into claims which we then check on the Api side. This might be the best solution?
Roles:
Create a permission for the Api (access:allowed), then create a role (App1Access) and add the ‘access:allowed’ permission. We can then use the Assign User Roles endpoint to set those up.
None of these options feels quite right - are we missing something?
Regards
Steve