I'm designing a microservice system including authentication and authorization. I understand the authentication part using OpenID connect, but I wonder how authorization enters the picture.
Let's assume the following situation: We have a user sitting at his browser connecting to a web application ("client" or "relying party"). First he logs in to the client, then he want's to access (via the client) an order service. However, not every user is allowed to view the orders, e.g. only employees from sales department are allowed to view orders.
For the process of logging in, the user, the relying party (RP) and an identity provider talk OpenID connect. At the end, the RP has an id token identifying the user.
Now, when accessing the order service, some component has to check the user rights. Where is this component located? Does the RP ask for the rights before querying the order service? Does the order service ask the user rights? Which information/tokens are sent to the order service and the "authorization component"?
I've seen access tokens in OpenID connect as well, but as far as I understand, these are OAuth2 tokens which state that a resource owner has delegated his access rights to a client. However, this does not apply to my problem where I don't have a resource owner, but rather want to check if the user is allowed to view orders. This is probably not part of OpenID connect, but it seems a standard problem to me, although I could not find any examples for it.
In case it helps: I'm using ASP .NET core and IdentityServer4 for authentication and the IdProvider is part of my system (no third party log in). If other protocols are better adapted to this problem, I'm glad to learn about them!
