Implement OAuth2 Authentication with Role-Based Access Control & Authorization Code flow in Swagger UI

Date: 2024-05-13

Status

Proposed

Context

We need to secure our API endpoints exposed through Swagger UI. We want not only to authenticate users but also to authorize them based on their roles. OAuth2 is a widely accepted standard for API security, and it can be combined with role-based access control (RBAC) to achieve our goals.

Decision

We have decided to implement OAuth2 authentication and use Authorization Code flow in Swagger UI. In addition, we will implement role-based access control (RBAC) to manage user permissions based on their roles. This will involve using Azure AD as the authorization server, configuring Swagger UI to use OAuth2, and implementing RBAC in Azure AD based on roles defined in the API's Azure App Registration.

Consequences

Positive outcomes include enhanced security and fine-grained control over who can access our API and what they can do. However, this decision also introduces complexity in our setup and requires careful management of user roles and permissions.

References

• OAuth 2.0 (opens new window)
• Swagger UI OAuth2 documentation (opens new window)
• Role-Based Access Control (RBAC) (opens new window)