Access As a Service



 As part of our needs, we are using a different kind of application. Each application has a different kind of login mechanism. Each mechanism will enhance user experience like federated login with an external provider and improve the application security like adding a verification layer as part of user login. Most of the applications are stateless and they are accessing their backend APIs using an access token. This access token should have information about the user access, minimal user information and it should expire as per the security needs. We can generate the access token in different ways using different types of grant types.


ClientCredientials:

This type of grant is commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user. Multiple application they can communicate with each other using this flow.  They will pass their client id and the secret to the IDP and get the token. Using that token they will access the partner APIs.


Resource Owner Password:

The client needs to send the client id and user credentials to IDP and then receive the token. Using the token they can access the API. Most of the applications using this approach. 


Implicit:

The client needs to send the client id, user credentials, and list of permission they want to grant to IDP and then receive the token. Using that token they can call the API with limited access. This is mainly used to login with an external provider. User needs to login with their external identity provider using OpenIDConnect protocol.


Authorization Code:

It will add one more layer to the implicit flow. Instead of returning the token, it will return the authorization code. The client application needs to send the authorization code to get the access token. Using this they can access the APIs.

Comments

Post a Comment

Popular posts from this blog

Hybrid Federated Ocelot Gateway

Image
Ocelot:  People who have experienced with .net core distributed microservices architecture will be very familiar with an ocelot. It's an API gateway to forward the request based on the routes. It supports the HTTP for rest services and WebSocket protocol for signalR services. It's providing a lot of features like authentication, Authorization, adding custom headers, and a lot. All are configurable. We can easily orchestrate multiple services using ocelot. It's a single point of contact to the outside world. It acts as a reverse proxy. As part of microservices architecture, each service will have a single responsibility. Sometimes service needs some data from other services or needs to complete some action from other services as part of business workflow. As part of distributed microservices architecture, there are many ways to enable communication between the services.  1) Service to Service communication via HTTP or Grpc. 2) Event-Driven via pub/sub model Service to servic
Read more

.NET Core NUGET packages

 .Net core development is based on the open-source NuGet packages. NuGet will reduce work and manage the application very easily. We need to select the NuGet based on the purpose otherwise it will impact the application performance as well as application size also. As part of the development lifecycle, we need to select a different set of libraries on each stage.  While creating a new service we need to inform what kind of APIs are going to be available and what are fields will belong to that each APIs. It will provide high-level information about the service. So We need clear documentation at the first phase of development itself. We can create documentation either manually or code-wise. Manual documentation will double the work. Code wise we can generate the document by code and based on the needs we can update it later. We can create high-level API documentation using Swashbuckle at the initial stage of development. Swashbuckle: We need to share the API specs while developing a rest
Read more

Dapper Micro ORM (Connection Management)

Image
Dapper is a micro-ORM or a Data Mapper. It internally uses ADO.NET. Additionally, Dapper maps the ADO.NET data structures to your custom POCO classes. As this is additional work Dapper does, in theory, it cannot be faster than ADO.NET. It's Prevent SQL Injection from external user input by avoiding raw-SQL query string building. Dapper provides methods to build parameterized queries as well as passing sanitized parameters to stored procedures. Dapper has provided multiple methods to Query or execute the store procedures and SQL queries. At the High level, we can split into two categories as Query and Execute. Query: Its mainly used to fetch the data from the database. It has the following feature. To query the data in sync or async way  To fetch single or multiple records. To query single or multiple result sets also. Execute: It's mainly used to manipulate data in the database. We can pass store procedures or SQL statements as input to execute them into the database. It
Read more