How to deal with the following scenario in ORY?

chriswang · January 9, 2020, 8:40am

Suppose I have the APIs as below:

/app/user_info
/app/car_info

The system is able to create different branch by user, like:
BranchA
BranchB

The APIs is branch wise, It will show the data according to the current branch id which is selected by the current logined user who switch the different branch in the front-end.

Now, we have a User who is able to access all the APIs in BranchA.
In the meanwhile, The User has a limited permissions to access APIs in the BranchB (Suppose User can only access /app/user_info).

|-----------------------------------------------------------------------|
| User | BranchA | /app/user_info, /app/car_info |
|-----------------------------------------------------------------------|
| User | BranchB | /app/user_info |
|-----------------------------------------------------------------------|

So how to cope with the similar scenario?
I think the Access Token should be changed if an user switch to different Branch
According to the OAuth, and the User should login if someone want get a new kinds of access token.
But, I think, It is not user friendly and unacceptable that it ask user login again and again when they switch the branch.

hackerman · January 9, 2020, 9:57am

You might be able to solve that with the access token audience - you can set it during the consent accept.

chriswang · January 9, 2020, 11:33am

The topic is worring about that if the User stay in the BranchB that he could access /app/user_info API, But using the access token(belong to BranchB) how to access the /app/car_info if the user switch to the BranchA ?

The Branch is not something like ResourceServer, All the branches are belong to the same resource server.

chriswang · January 9, 2020, 1:00pm

I think I need change a new access token when user switch different branch at the front-end ? But I dont known how to implements this kinds of procedure ?

hackerman · January 9, 2020, 2:59pm

I don’t think I can answer that, also bevause I don’t understand what you mean with branches. Habe you worked wirh OAuth2 before?

chriswang · January 10, 2020, 12:49am

Hi aeneasr,

I am sorry for my expression. the branch is something like : department, subsidiary, in our system it is branch school, It is not the concept of OAUTH2.

I used to work with OAUTH2 a little , But I am new for the topic scenario. So I want to ask for some suggestion.

hackerman · January 10, 2020, 7:23am

I think we token aufience is what you’re looking for then!

chriswang · January 10, 2020, 9:42am

I dont think the token audience will meet the requirement, Because all the branch are in the same resource server, actually, they are in the same table, The APIs between different branches are also same. The token audience is something used for distinguishing to the different resource serveres as far as I known,
Could you give me some more details about how to meet the requirement by token authence?

hackerman · January 11, 2020, 12:27pm

You can scope the audience on a “resource” level if you want to. So http://myapi/api/<schoolid> could be a valid strategy in your case.

chriswang · January 11, 2020, 3:47pm

Hi aeneasr:

I‘v understood the the means you given. But how about the token, Just imagine, The user logged in the application, There are several branch schools that he can choose or switch to, Each school will correspond to the different access token, So Do I need to assign multiple token to the user in one authorization? It is not possible according to OAUTH2.
To resolve this, I think I need to assign a new access token & refresh token after user switch to the diffrent branch school ? But how to assign a new token without user re-login, this is the question I want to ask. I have almost no experience of oauth2 about this situation.

hackerman · January 13, 2020, 11:17am

On the one hand you say that you want isolation, on the other you say you don’t want it. You need to pick one.

The token audience can be an array of strings, so you could have multiple schools as the audience.

chriswang · January 13, 2020, 3:35pm

This kinds of ISOLATION is not True or False, Aeneasr, see the info on above:

|-----------------------------------------------------------------------|
| User | BranchA | /app/user_info, /app/car_info |
|-----------------------------------------------------------------------|
| User | BranchB | /app/user_info |
|-----------------------------------------------------------------------|

If the user switch the branch from A to B. the api permission /car_info will be deducted. This feature might cause the token changed.

Yes, It is true that I can check the Role-Permission table in each API call, That it will bring me huge network overhead. I dont think it is a wise solution. So I want change the access token when the user switch the branch , pls check out below that is my discussion in the StackOverFlow