Authentication and authorization might be sound similar but both are distinct security processes in the world of identity and access management and understand the difference between these two concepts are the key to successfully implementing a good IAM solution.
While authentication is the act of verifing oneself, authorization is the process of verifing what you have access to, so coupling identity and access management in a single solution is not consider a good approach. Authentication is really good for provide a common identity across all applications while authorization is something that depends on each application, for these reason we should treat them indepentdly.
It's very common to see how people missues OIDC servers adding permissions into tokens and there are many reasons why this approach is a wrong solution:
- Permissions are something that depends on each application and sometimes depends on complex bussines rules.
- Permissions could change during the user session, so if you are using JWT tokens, you must be wait until the lifetime of the token expires in order to retrieve a new token with the permissions up to date.
- You should keep your tokens smalls because we have some well known restrictions such us URL Path Length Restrictions, bandwidth...
Balea is an authorization framework for ASP.NET Core developers that aims to help us to decoupling authentication and authorization in our web applications.
For project documentation, please visit readthedocs.
Balea is built against the latest NET Core 3.
Balea is built using the following great open source projects and free services:
..and last but not least a big thanks to all our contributors!
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.