I’m in the process of securing a Web API for a project that will deliver data to a SPA front end, but I’m having some issues actually securing it.
I know how to configure the SPA to be able to receive a token so that it can contact the API, but the API uses policies to filter what requests a user can make.
I know I can manually add users and give them rights, but in this case there could be several thousand users, and I obviously can’t add every single one.
99% of the users will only need read access, but some will also require write permissions.
The 1% that need elevated rights will be using a specific email domain.
I need a way to automatically give every user that signs up read permission, while users with @example.com domain need read and write permission.
Unfortunately, I have no idea how to do this. Please help.