Trying to implement resource based access control based on the slug for resource, in a Clean architecture, CQRS based project

[vpgits]

Implementing Fine-Grained Authorization with Keycloak.AuthServices

I'm developing an ASP.NET Core application with a Clean Architecture, using CQRS and MediatR. I'm integrating Keycloak.AuthServices for authentication and authorization. My specific challenge is implementing fine-grained access control for an application, with the following requirements:

For context I have an employee api endpoint. I have currently implemented Resource based Access Control using workspacename#scope approach, but I want to reduce the scope of access for endpoints like workspacename/{id}#scope.

This can already be done using the extension method. Current issue is with programmatically creating resources in Keycloak.

Current Approach

I'm using the RequireProtectedResource extension method for RouteBuilder to implement resource-based authorization. For example:

app.MapPost("/api/workspaces/employees/", ...)
   .RequireProtectedResource("employees", "employees:view");

Challenges

Dynamic Resource Creation: When a new employee is created, I need to dynamically create a corresponding resource in Keycloak.
Per-employee Authorization: I need to ensure that only the individual employee can access their own resource.
Resource Lifecycle Management: I need to manage the lifecycle of Keycloak resources in sync with my application's resources (create/delete).
Integration with CQRS: I need to integrate this authorization logic with my CQRS command and query handlers.
Current integration with CQRS suggested by Sample Implementation
This implementation suggests using a service injected to the Command/Query Handers to create the resources programmatically.
Is there another ways to create resources programmatically than including these dependencies in command handlers

Possible workarounds

• Using Endpoint filters for intercepting the request beforehand
• Using Mediatr middleware Behaviour patterns
• Writing custom logic inside the endpoint handler

Still these approaches lack a lot of context on how to be implemented progamatically.

I would like to know your idea on how to implement something like this.

[NikiforovAll]

To implement fine-grained authorization with Keycloak.AuthServices in your ASP.NET Core application using CQRS and MediatR, you can leverage a more decoupled approach by using domain events. When an employee is created, instead of managing Keycloak resource creation directly in the command handler, you can publish an event (e.g., EmployeeCreatedEvent). An event handler would then manage the dynamic creation of the Keycloak resource, ensuring separation of concerns.

This event-driven design makes the authorization logic more maintainable, scalable, and integrates seamlessly with your CQRS architecture without polluting business logic.