I’m in the process of securing a Web API for a project that will deliver data to a SPA front end, but I’m having some issues actually securing it.
I know how to configure the SPA to be able to receive a token so that it can contact the API, but the API uses policies to filter what requests a user can make.
I know I can manually add users and give them rights, but in this case there could be several thousand users, and I obviously can’t add every single one.
99% of the users will only need read access, but some will also require write permissions.
The 1% that need elevated rights will be using a specific email domain.
I need a way to automatically give every user that signs up read permission, while users with @example.com domain need read and write permission.
Unfortunately, I have no idea how to do this. Please help.
If I understand your case correctly, this should be possible using Roles and RBAC and rules. You can create 2 roles, user and ‘adminfor example. In a rule, you can add theuser’ role to all users on first login, and add admin to all users with @example.com email domain.
Here is an example rule for adding the role:
Here is an example domain whitelisting rule:
Let me know if you need help piecing it together,
Dan