6 Configuring authorization
This chapter covers
- Defining authorities and roles.
- Applying authorization rules on endpoints.
- Grouping endpoints for authorization.
Some years ago, I was skiing in the beautiful Carpathian mountains when I witnessed this funny scene. About ten, maybe fifteen people were queuing to get into the cabin to go at the top of the ski slope. A well-known pop artist showed up, accompanied by two bodyguards. He confidently strode up, expecting to skip the queue because he was famous. Reaching the head of the line, he got a surprise. “The ticket, please!” said the person managing the boarding, who then had to explain, “Well, you first need a ticket, and second, there is no priority line for this boarding, sorry. The queue ends there.” He pointed to the end of the queue.
In most of the cases in life, it doesn’t only matter who you are. We can say the same about software applications. It doesn’t only matter who you are when trying to access a specific functionality or data. Up to now, we have only discussed authentication, which is, as you learned, the process in which the application identifies the caller of a resource. In the examples we’ve worked on in the previous chapters, we did not implement any rule to decide whether to approve the request. We’ve only cared if the system knows them or not. In most applications, it doesn’t happen that all the users identified by the system can access any resource of the system.