Authentication and authorization might sound similar, but both are distinct security processes in the world of identity and access management and understanding the difference between these two concepts is the key to successfully implementing a good IAM solution.
While authentication is the act of verifying oneself, authorization is the process of verifying what you have access to, so coupling identity and access management in a single solution is not considered a good approach. Authentication is really good to provide a common identity across all applications while authorization is something that varies in each application, for these reasons we should treat them independently.
It is very common to see how people misuse OIDC servers by adding permissions into tokens and there are many reasons why this approach is a wrong solution:
- Permissions are something that depends on each application and sometimes depends on complex business rules.
- Permissions could change during the user session, so if you are using JWT tokens, you must wait until the lifetime of the token expires to retrieve a new token with the permissions up to date.
- You should keep your tokens small because we have some well-known restrictions such as URL Path Length Restrictions, bandwidth...
Balea is an authorization framework for ASP.NET Core developers that aims to help us decoupling authentication and authorization in our web applications.
For project documentation, please visit readthedocs.
Balea is built against the latest NET Core 6 and .Net Core 8.
This project was inspired by Dominick Baier's & Brock Allen PolicyServer (local version) https://github.com/PolicyServer/PolicyServer.Local Thank you to all who have contributed in the project!
Balea is built using the following great open source projects and free services:
..and last but not least a big thanks to all our contributors!
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.