Hi @dan.woda,
Unfortunately that won’t work for our use case, because the user may not be authenticated against the organisation that we’re checking the permissions for.
In our app a user can be member of multiple organisations. Given that the current token will only contain permission data related to the organisation the user currently logged in to, we need a way of retrieving the users permissions for a given org that they’re attempting to access. Although ideally a single call that can give us all of the users’ permissions, with an indication on where the permission was sourced from (which would be an organisation membership in this case).
For example,
- User A authenticated against Org 1. They also have membership roles in Org 3, and Org 4
- We have API endpoints that allow an Organisation (our entity) to be updated. We need to use RBAC here to check if the current authenticated user has access to the organisation they are attempting to update (which may not be the one they’re authenticated against).
- In order to do that we ideally need an API call to fetch all the permissions the user has in the organisations they are members of. But there isn’t a suitable API for doing that at the moment.
We essentially need a way to introspect the users organisational permissions programatically.
We have thought about how rules can help us here, and we could add the organisation permission to the token as custom claims, but we still need to retrieve that data.
Any advice you give would be greatly apprechiated!
Thanks.