- A single page application based on Angular 7
- A Backend based on .NET Core WebAPI.
I am currently considering best practices to cover authentication and authorization requirement of these kind of application.
Client Side Authorization
- SPA takes JWT after login.
- Authorization of routes will be handled by Routing guard in Angular. For example, a user has
reportviewerrole, user will be allowed the routes to see report-related components.
- Menu items will be visible according to the information on JWT. For example, a user has reportviewer role, user will see report-related menu items.
JWT will contain some of the authorization information.(For example Role Claims) Authorize attributes will be used for authorization of WebAPIs.
I have developed a user edit page to define a user and assign required roles.
Authorization of menu items, routing guards and WebAPIs could be defined inconsistently by developers. How can I build consistent authorization framework to solve this problem for this kind of application?
Thanks in advance.