Shuttle.Access
An identity and access management system that provides fine-grained permissions in a session-based environment. Identities may sign in using a name and password, or using a generic OAuth mechanism.
There is a web-based management front-end, written using Vue, as well as a restful web-api. A rest client library is also available to facilitate calls to the web-api.
Once an identity obtains a session token it is passed in the Authorization
header using the Shuttle.Access
scheme:
Authorization: Shuttle.Access token={GUID}
Minimal API endpoints may be secured using either RequiresPermission
or RequiresSession
:
app.MapGet("/v1/customers/", async () =>
{
// For a specific permission use `RequiresPermission`.
})
.RequiresPermission("crm://customers/view");
app.MapGet("/v1/customers/", async () =>
{
// If you don't require a specific permission,
// but a session has to exist, use `RequiresSession`.
})
.RequiresSession();
If you are using controllers, then apply the relevant attribute:
[HttpGet]
[RequiresPermission("weather://forecast/get")]
public IEnumerable<WeatherForecast> Get()
{
// For a specific permission use `RequiresPermission`.
}
[HttpGet]
[RequiresSession()]
public IEnumerable<WeatherForecast> Get()
{
// If you don't require a specific permission,
// but a session has to exist, use `RequiresSession`.
}
However, if you need to check whether a particular session has a permission in code, you can use the relevant IAccessService
implementation:
app.MapGet("/v1/customers/", async (HttpContext httpContext, IAccessService accessService) =>
{
// First get the session token.
var sessionTokenResult = httpContext.GetAccessSessionToken();
// If a session token could be located, check the permission
if (!sessionTokenResult.Ok || !await accessService.HasPermissionAsync(sessionTokenResult.SessionToken, "pim://category/review"))
{
return Results.Unauthorized();
}
})
Structure
.
├─ Permissions
│ ├─ *
│ ├─ system://context/read
│ └─ system://context/write
├─ Roles
│ ├─ Administrator
│ │ └─ Permissions
│ │ └─ *
│ ├─ Reader
│ │ └─ Permissions
│ │ └─ system://context/read
│ └─ Owner
│ └─ Permissions
│ ├─ system://context/read
│ └─ system://context/write
└─ Identity
├─ admin
│ └─ Roles
│ └─ Administrator
├─ someone@domain.com
│ └─ Roles
│ └─ Reader
└─ mrresistor@example.co.za
└─ Roles
└─ Owner