Share via

SaaS (.net core) and Azure Ad B2C - What is the best approach to handle user defined authorization policies?

Emerson Brito 21 Reputation points
2021-02-01T20:00:01.743+00:00

Hi there,

I'm trying to find the best (or most common) approach to a feature implementation.

Scenario:

  • A multitenant WEB app (SaaS) using Azure AD B2C as the identity provider.
  • The SQL database will have an user table with some columns that will be kept in sync with user's Azure AD profile.
    This will help us with SQL queries and reports where data is direct associated to an user (which is everywhere).

Then comes the question:

In this app, users will be able to specify authorization roles for their tenants. For example:
Tenant A can create a Staff role that will:

  • Give read/write access to contacts
  • Read only access to accounts.

We can easily write it to the database but the question becomes how can we plug this custom roles or policies into .net core authorization and do it in a way that won't require a round trip to the database on every request?

Would this be "as simple" as a custom authorization attribute on top of cached user roles and policies (using Redis or some other means)?
Would be nice to know how people are approaching this.

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,256 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,686 questions