You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have an API where the caller can create some resources, and I want to ensure that only the "owner" of the resource can manipulate it after creation. I initially persisted the User.Identity.Name as the "owner" and then checked it in my resource authorization handler to see whether or not the current user owned the resource before allowing him to edit/delete it.
This works fine for user flows (user tokens), but fails miserably for daemon app flows (application tokens). App tokens do not have the underlying claim used by Identity.Name and uses other things, like "appid" claims with guids in it.
If I want to keep enforcing resource-based ownership for application access, should I conditionally persist/check the "appid" (or similar claim) instead of checking the Identity.Name property when I detect the token to be an "application token"?
Are there any best practices surrounding this scenario of resource-based authorization with both users and applications managing resources at the same time?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I have an API where the caller can create some resources, and I want to ensure that only the "owner" of the resource can manipulate it after creation. I initially persisted the
User.Identity.Nameas the "owner" and then checked it in my resource authorization handler to see whether or not the current user owned the resource before allowing him to edit/delete it.This works fine for user flows (user tokens), but fails miserably for daemon app flows (application tokens). App tokens do not have the underlying claim used by
Identity.Nameand uses other things, like "appid" claims with guids in it.If I want to keep enforcing resource-based ownership for application access, should I conditionally persist/check the "appid" (or similar claim) instead of checking the
Identity.Nameproperty when I detect the token to be an "application token"?Are there any best practices surrounding this scenario of resource-based authorization with both users and applications managing resources at the same time?
Related:
Beta Was this translation helpful? Give feedback.
All reactions