Say I have two different full stack applications built by the same company that share a user base but could also have users that only use one or the other. These applications each have their own resources exposed via APIs and the auth setups for each allow for the user to share their data with other people in a group they create. Each group allows the owner user to set permissions for each of the other members.
Now say a user in group 1 of application A wants to share data from application B with other team members in group 1 of application A. How would application B allow the user to share this data if it doesn’t share the same auth hierarchy as application A?
Specifically, if one of the other users in the above mentioned group logs into application A and wants to view the data shared by the original user, how does application B receive a request with an auth token with userid for the user who is not the resource owner in application B respond with a success?
Should both applications be refactored to share a common user identity system (with corresponding group hierarchies) and a common authorization system? Or should the user need to build a mirror or the group hierarchy and roles in application B if even allows for the concept of group access to resources?
So far I’ve tried a design where every app in the company needs to use the shared user domain and grouping hierarchy and that seems to work conceptually, but is less flexible if different apps want to support different grouping topologies. In a company with multiple departments (financial services, e-commerce, marketing, etc) each area may have a slightly different context of a user and their specific auth and access patterns. Is there a better federated way to enable sharing across systems?
If
Authorization Serviceis centralized (which manages user roles & permissions), your entire company can externalize logic for roles & permissions for all applications (in other orgs & departments) to this Service. UsuallyAuthorizationis managed by Identity Services & sits closely with user data. Not sure I answered your question - but hope this gives you an idea.