I am working on developing a library to generate a token to be used by application to access a service resource. Here is the scenario the library will accept user name and password then it should create a Jason formatted token, I was trying to use Jwt.
Json token, from my point of view, will include beside issuer, expires, and an audience the roles of the user. For now everything goes fine, however, my manager wants the authorization filters to be more flexible. He do not want me to go and check for the Roles within the principal within the current request context, the default behavior, as that will not make the authorization process flexible as every time I add a new role I need to go and modify the API services to add the new role to the authorize attribute list as required.
For example, lets say I am having a "Role 1" role and I used it to decorate some of the API services if I added a new role "Role 2" and I want principal that has that role to access my services I will be forced to go and add/edit the authorize attributes to include the newly created role etc.
What my manager was thinks of is that instead of setting the Role within the token it would be better if I set the service URI, for example, https://www.example.com/api/get, and the authorization mechanism checks whether any token's URIs matched the the requested service URI if a match found the service get fetched and executed, which will make the authorization more flexible as I do not need to add/edit my service with each newly created role.
I hope my point of view is clear. My question
Is such mechanism is reachable or not?
The Jwt I tried so far only contains specific set of info like and the claims types are limited to a certain set and I cannot add a new user defined property to it to hold the URIs which is easy when creating a Json object. How can I create my Json that can be used as a OAuth valid token format?
"role": [ "role 1", "role 2", "role 3", etc.],
"URI": [ "URI 1", "URI 2", "URI 3", etc. ]
What I have tried:
I am trying to search on internet and some apress books