The main architecture of my application is the React front-end, using the RESTful API, located on top of the layered storage layer.
Interface:
Responsive Consumer APIs
Back end:
Python
Flask
Authentication
Auth0 + OKTA
Everything works great. However, I need to have different roles for users. In other words, I need to control the actions that the user can perform on the resource based on the role.
Example:
-User A wants to add a new user
-It has a token in its request, so I know that user A is verified.
-No, I need to make sure that he can actually add the user base to his role.
I do not want to hard program user roles, as suggested in other solutions, and I would like to add additional roles.
In addition, I want to respect people, so if there is a resource that concerns my concern, please do not hesitate to point me to this.
These are my questions:
1. Are there any best practices for implementing what I'm trying to accomplish?
2. Could you give me examples or guides on authorization (rather than authentication)?
3. Do I check every service call if the authenticated user can also perform an action or provide roles in some form after authorization, so the service request contains both an authentication token and authorization? (It looks pretty easy to hack. I guess no ...)
If I am confused about the topic of authorization, it is because I am. Please feel free to tell me any resource that was useful to you.
Thanks in advance for taking the time to help! I really appreciate that.