Hi, I’m fairly new to authentication and authorization and was wondering if someone could point me in the right direction.
I was wondering how I would need to go about implementing an authorization model similar to how google docs work.
A users can create a resource and then invite various other users that can have read/write/delete rights on that resource. The permissions are managed by the owner of that resource or other authorized users.
I understand Auth0 has the capability to give a user a certain role or permission, but in my understanding this would grant them access to all the resources and can’t be used to filter based on the relationship with the specific resource (is this REBAC?).
How would I go about solving this issue? And is this something that Auth0 solves? Or do I need to model this in my application/database?
My current idea was to store a list of users on each resource that are authorized to perform a certain action (i’m using MongoDb) so that would roughly look like this:
[{
resourceid: 1,
canWrite: [‘userid1’],
canRead: [‘userid1’, ‘userid2’]
}]
Then let users authenticate themselves. When making a request to extract their userid and check this userid against the list specified above depending on the action they request.
I can see this getting very messy very quickly and i’m not sure if this is safe so I wanted to check first if anyone has any better ideas. Any feedback is greatly appreciated! Thank you