Using OAuth 2.0 introduces the api trust of Jwt bearer tokens. Presumed is that this token will contain all of the identity, role, permission, and policy related claim data required by your API. These presumptions come with some significant impacts
- You have centralized the claim provisioning to your identity provider. Either that god service a) owns all things identity, roles, permissions, and policies; b) demands an always-on api from those that do; or c) supports an eventual consistency model
- This bloats the size of your JWT token being sent to every api with needless claims of each domain microservices.
Let us aim to decentralize the fine grain authorization permissions and policies to the microservices themselves. Leave the JWT token to manage identity authentication and coarse-grained authorization.
Introducing IClaimsTransformation providers.
So long as AddAuthorization() has been called during your Startup.cs then upon successful JWT validation, the ASP.NET Core middleware will execute all registered providers allowing you to enrich your claims before permission, roles, and policy checks are executed.
By doing, so we a) reduce the burden of managing this content at our identity provider, b) slim down the JWT token size, c) have immediate realization of authorization changes, d) and continue to provide microservice autonomy!
Code Impressions 