Consider a scenario in which you offer service access based on a hierarchy of authority. i.e., a HEAD can register his subordinates. The authenticated HEAD has the previledge to read and update data from all of his subordinates. Is there an authorization standard or pattern that relates to this scenario?
Different roles may be assigned to the HEAD and subordinates, and they could be distinguished with scopes in standard OIDC. With this, we can ensure that only users with specific roles have access to certain APIs and properties. But, even with the aforementioned, how can we prevent privilege escalation? i.e. Prevent a given HEAD from querying other HEADs' subordinates?
One option that springs to me is embedding the subordinate IDs within the JWT Token itself. However, I do not believe that this solution will be scalable or generic enough. i.e. if a co-HEAD is introduced and the subordinates are large in number? It also requires granular code level (Microservices level) validations, which cannot be performed at the gateway, making the system fragile.
Are there any generic, scalable patterns to handle this, ideally any standards that Identity Providers can easily support?
