You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have already read some articles about the this topic including this one from @VaughnVernon and I'm almost done with the book IDDD but I'm still not clear on some facts so sorry to bring it up here again.
To sum up what I already know I just want to go throw the facts here. It is clear that in almost all the cases, authorization is an integrated part of the domain model. For example only an author is allowed to post to a forum. It is also clear that authentication is NOT part of any bounded context but the ones that are directly related to this matter (i.e. identity and access here).
However there are some edge cases that still keep me wondering if there is an answer to them in DDD style to them or do they need a combination of other architecture with DDD.
Lets take the tenant provisioning as an example. How do we answer the question "who is authorised to provision a tenant?". Shall the actor here be part of scenario (like author in forum example) or is there a God-mode way that something happens without an actor involved? if so how we authorise it?
Or take the use case where "a moderator is allowed to modify a post on behalf of its author?". Is this a use case that we still need to model in current code? or is this the same use case and same service call where author himself modifies the post only with an extra check that if the request is done by a moderator who has proper role?
Another question is how do we verify the genuinity of the requester. We can't only depend on tenant and author's id as these could be part of public data that we freely show to everybody. For example as a link to author's profile on a forum post. So we need a secret (like password) to do the verification. Will this secret be part of the command sent to relevant application service? or shall it be done before the request reaches the application service? like inside JAXRS resource by calling directly the UserRepository.
Again sorry to bother but these are the things I can't just shake off my head.
The text was updated successfully, but these errors were encountered:
I have already read some articles about the this topic including this one from @VaughnVernon and I'm almost done with the book IDDD but I'm still not clear on some facts so sorry to bring it up here again.
To sum up what I already know I just want to go throw the facts here. It is clear that in almost all the cases, authorization is an integrated part of the domain model. For example only an author is allowed to post to a forum. It is also clear that authentication is NOT part of any bounded context but the ones that are directly related to this matter (i.e. identity and access here).
However there are some edge cases that still keep me wondering if there is an answer to them in DDD style to them or do they need a combination of other architecture with DDD.
Lets take the tenant provisioning as an example. How do we answer the question "who is authorised to provision a tenant?". Shall the actor here be part of scenario (like author in forum example) or is there a God-mode way that something happens without an actor involved? if so how we authorise it?
Or take the use case where "a moderator is allowed to modify a post on behalf of its author?". Is this a use case that we still need to model in current code? or is this the same use case and same service call where author himself modifies the post only with an extra check that if the request is done by a moderator who has proper role?
Another question is how do we verify the genuinity of the requester. We can't only depend on tenant and author's id as these could be part of public data that we freely show to everybody. For example as a link to author's profile on a forum post. So we need a secret (like password) to do the verification. Will this secret be part of the command sent to relevant application service? or shall it be done before the request reaches the application service? like inside JAXRS resource by calling directly the UserRepository.
Again sorry to bother but these are the things I can't just shake off my head.
The text was updated successfully, but these errors were encountered: