I'm seeking advice on how we may be able to implement authentication and authorization for multitenancy with slightly different number of scenarios.
We are building a set of API's which of some are internally accessible (within the organization) whilst some will be externally accessible (internet).
The ones internally and directly accessible within the organization may "indirectly" be accessed via more abstracted services that are externally exposed.
due to the complex nature of our business (telco company), consumers of the externally facing API's will come in different forms. Some will be our subsidiaries, whilst others will be 3rd party, vendors and developers.
I'm going to make an assumption that whether they're a large organization consumer or a single person developer - they're all uniquely identifiable the same way.
The tricky part now is that in certain scenarios the resources that publicly exposed may not be allowed to be accessed by certain consumers. example:
- Subsidiary X can access all resources and CRUD operations on resource Y
- However, 3rd party Z can only retrieve I'm probably venturing into ACL territory now...
Furthermore, to add complexity to the matter, there are certain "structural separation" scenarios (imposed by the government) that warrant data segregation but I won't go further down that rabbit hole.
There is also the issue of multiple tenants accessing a system that does not cater for multitenancy. :)
So there is a lot there so I'm wondering what are people's opinions, advice and approach to such.
We're hoping that oauth2.0 in conjunction with OpenID with a custom ACL solution could possibly work.
EDIT:
Apologies had issues with my mobile when posting question and half of it got cut out.
Just some general advice to the approach.
Is this something that OpenID and Oauth2 with entitlements server could cater for?
