Lets talk about resource authorization

Introduction

It is fairly easy to get a role and permission based authorization system going for an API and it is sufficient for most use cases. However, I am in need of more fine grained authorization in some of my use cases. I am currently having trouble solving resource authorization in an elegant way, and I would like to hear how other people approach this issue.

What is resource authorization?

Giving a user authorization to only certain resources (lets say a certain restaurant) within a resource (resturants).

Solutions

Save admin information on the resource

The simplest way I can think of to do this would be to have all administrators of the restaurant saved in the database, and link this administrator table to the specific restaurant. This way I could create a authorization policy to check if the users Id is in the list of administrators for the restaurant.

The issue with this is that I am creating a SPA, and I would like to decide what options to render depending on the ID Token of the user. I could make an extra round trip to the database in order to fetch the resources that the user is authorized to use, but I feel like this is a cheap and shortsighted way to do it.

The positive thing about this approach is that it fairly easy to get a good overview of who has rights to access the resources. This makes it easy to revoke a administration right from a user.

Create costum claims

I could create a costum claims, something like:
resturantAdmin: [ array of resturant ids the user is admin for ]

This approach seems like the one that makes the most sense, I do however feel very overwhelmed with the amount of code and logic I have to write in order to keep track of what custom claims have been issued, revoke claims and add new claims.

This approach would however make my client side SPA know that it should render a link to the specific
resource the user controls.

Discuss

I would love to hear what kind of approach you use, I feel like I don’t know enough about this topic. Maybe there is a “goto” approach to this that I am not aware of.
Having fine grained resource authorization is not very unique thing. I wonder how does big sites like GitHub control access to a repository? How does Facebook control admin access to a group? Or Auth0 access to a tenant.

Maybe a combination of the two is the best way to go at it.

In the predefined rules there is one rule that allows for access to a remote database in order to add roles.
In my case, I could rewrite this rule to be custom claims.

Implementing claims that are based on the administrators saved in a restaurant gives me the ease of implementation through my SQL database, and the access to the rights through the Id and access token.

On the back end of my API I can now write a policy that confirms the information on the access token.

I am however still not sure if this is the correct approach…