Question 121128 in Redis Question posted in
The official documentation can be found here.

Redis – Suggestion required on how to implement a better permission system

I have a user permission system in place where i have a set of permissions within the database, for example

id Permission
1 POST:CreateBooking
2 GET:AllBookings

And i have another table (junction table) where i put dependent permissions such as
if i want to create a Booking, i need to fetch Package details and so POST:CreateBooking requires the user to also have GET:AllPackages permission.

There’s a template system in place as well, where the users can group multiple permissions together and once that template is assigned to any employee, that employee will get THAT set of permissions and it’s dependent permissions.

What my nodejs system does is that when user logs in, it fetches all permissions from DB and puts it in a redis set from where on each request, the permission is checked against user id.

Is there any tool from where i can do exactly this but in an intuitive and better way?

I tried keycloak but i don’t know how to cover my needs mentioned above.

Thank you

Tags:

2

Answers


  1. 0

    if I’m understanding correctly and trying to generify your scenario, you have a classical situation where:

    1. You have groups which can have multiple permissions assigned;
    2. groups can be created dinamically;
    3. each permission correspond to a specific functionality.

    So, implementing the OIDC (Open Id Connect) protocol might fit you needs. As you suggested youself you might be interested in a OpenID provider (do not reinvent the wheel) keycloak is good, you can give a look also to Vault Hashicorp.

    So assuming that your backend have an already existing framework to handle security and permissions (eg. Spring Security) you can produce JWT token with the OpenId provider and check throught PreAuthorize claims (permissions) inside the token.

    At the end your security layer it’s just an annotation you need to insert before your method controller or before you class controller.

    Behind the scenes, instead, this is what will happen:

    1. Your user connect to your app;
    2. User insert username and password -> the Open Id provider gives you a JWT
    3. Your Front End app everytime it make a REST req will send also the JWT
    4. The back end controller method called it’s under authorization
    5. Given the public keys of the OpenId provider, the validity of the token it’s enstablished
    6. If the specific permission claim it’s found inside the token, the request can be elaborated else a 403 Forbidden it’s returned.
    Login or Signup to reply.
  2. 0

    OIDC – as the conceptual model/backdrop to any tool of choice, is certainly a popular/good choice, but as long as you’re willing to deal with an element of complexity – the understanding required to implement an OIDC arrangement (- think of it as a possible investment – effort up front with hopefully the rewards tricking-in over time); e.g. OIDC is an ideal choice for supporting SSO (Single Sign On), especially when it comes to supporting/allowing for authentication/login via providers such as Facebook, LinkedIn & Google, etc (- as well as more Corporate OPs (OIDC Providers) including AAD/Azure AD).

    Try to first step-back, and consider the possible bigger/future picture, before selecting a tool based upon only your starting/current requirements.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search