Hi everyone,
I'd like some advices about securing APIs with FusionAuth. Here's the environment:
We have multiples microservices with APIs (JSONAPI) requiering OpenID access token. All applications using those APIs and the OpenID provider are homemade.
Tricky part, we have read/write permission AND data filtering for users.
We call "resources" the filtering strategies (ex: AllClient, MyClient, ProducedClient, etc.). Most of the time, they use user's property to filter data. Our authorizations are combinations of read/write, resource and user (or group of users)
The plan is to migrate to FusionAuth (you guessed it) and add a gateway to handle security. We already installed Kong gateway and wrote a plugin to verify the access token and transform request, block paths, etc. User's properties are stored in FusionAuth user model and populated in claims (lambda involved here), but we're missing resources.
We created an Entity/Type for the gateway and used permissions to declare resources and read/write combinations (MyClient:Read, MyClient:Write, etc.). Really cool thing, we can give access to external workflow applications (n8n and others) with client credential by adding an entity, add properties and grant permissions to gateway's entity. Correct scope in auth request should add permissions into access token, .
Problem is, I can't do the same thing with users. I can grant permissions to gateway's entity, but it won't fill permissions in access token as it does in previous case, only roles are taken into considerations. Poor solution is to call FusionAuth's entity API in a lambda and fill permissions manually, but it feels like I'm doing something wrong (and maybe because starter edition does not include request capability in lambda 
). Adding resources in user's data would be a shame. Any ideas ?
Please tell me your feelings about how we use FusionAuth. Thx!