ChetanC.23766 (Customer) asked a question.
Implementing ABAC
I am relatively new to adding authorization to my APIs implemented using node(express). I have use case where I have resource called "project" which can have multiple instances like proj1, proj2 etc. A user can be part of multiple projects and he/she can have different roles in each project. Now I am not able to figure out how to put all this information in access token so that token has all information required for access control to API. It would help if you can explain how I should create/organize the scope/claim/group to achieve this.
And also can this be implemented using ABAC? If yes, how?
There is a general guidance about ABAC and how does it use attributes:
https://www.okta.com/identity-101/role-based-access-control-vs-attribute-based-access-control/
https://www.okta.com/blog/2020/09/attribute-based-access-control-abac/