How-to
Use OAuth for authorization
Pattern
Implement IAuthorizationProvider as a wrapper that validates an OAuth token associated with each sender:
public sealed class OAuthAuthorizationProvider : IAuthorizationProvider
{
private readonly string _issuerUrl;
private readonly string _audience;
// The sender's OAuth token is communicated via the envelope body
// (or a custom field). The provider validates it against the issuer.
public async Task<PolicyDecision> AuthorizeAsync(...)
{
// 1. Extract token from request context
// 2. Validate signature, expiry, audience against _issuerUrl
// 3. Inspect scopes / claims
// 4. Return PolicyDecision(...)
}
} See also
- The authorization model Concept
- Use LDAP for authorization How-to
- Use Open Policy Agent How-to