Implementation Cases to Explore

[Crain-32]

Space to dump Implementation Cases to explore to avoid filling up the original Spring Security with what we want to try out, so it can focus more on what we have tried out, what failed, what worked, and what we still need to model.

Cases to model

• Single Object Authorization Check (Pre Method Call)
• Single Object Authorization Check (Post Method Call)
• API Route Authorization Check
• Bulk Object Authorization Check - Use case: Support list operations #18
• 2 Step Authorization Check

[jimmyjames]

Thanks @Crain-32 - can you elaborate a bit more on these use cases? I don't want to make assumptions.

• API Route Authorization Check
• Bulk Object Authorization Check
• 2 Step Authorization Check

[Crain-32]

Absolutely!

Api Route Authorization Check

The idea is to check out endpoint authorization, here is a simple example the Documentation uses.

@Bean
SecurityFilterChain web(HttpSecurity http) throws Exception {
	http
		.authorizeHttpRequests((authorize) -> authorize
			.requestMatchers("/endpoint").hasAuthority("USER")
			.anyRequest().authenticated()
		)
        // ...

	return http.build();
}

We've talked mostly about Method Annotations, but it would be great to have a better idea of if any type of support here would be good.

Bulk Object Authorization Check

Minor typo here, it's more about modelling the Batch Authorization Checks the SDK supports. What does that look like, how is it different from the single object? Etc.

2 Step Authorization Check

Someone brought up in the call something like this, where you have to authorize based on Data A, then Data B? I'm not 100% sure what it was, so I put it down there to avoid forgetting to make sure to ask them for clarification.

[jimmyjames]

Hey @Crain-32, thanks for filling out those details!

Regarding endpoint authorization, I think it's something we should explore to identify what possible use-cases could be there. Since FGA operates at a fine-grained object level, are there scenarios where it would make sense to configure endpoint authorization for? I'm not saying there aren't those use cases, just that we should think about what those use cases might be.

Minor typo here, it's more about modelling the Batch Authorization Checks the SDK supports. What does that look like, how is it different from the single object? Etc.

I think for this, again we should think about what that use-case is from an application's perspective, and then based on that use case think about how and when a batch check would be used.

Someone brought up in the call something like this, where you have to authorize based on Data A, then Data B? I'm not 100% sure what it was, so I put it down there to avoid forgetting to make sure to ask them for clarification.

I believe this is in reference to supporting contextual or time-based authorization, which definitely is a use-case we need to flesh out more, as the current examples do not address this.

Also FYI I am thinking through these and other various use cases and discussing them with the FGA team, and I think at some point soon we'll split these various use cases and others into their own issues for further discussion and explorartion.

Thanks!