I am interested how do you handle authorization process in your connect applications.
I’d like to know what approaches you apply, because there is thing we are considering.
In our app, we used custom jira permissions to define roles and whenever the app issues an access token roles are put inside token metadata. It has been done in this way to don’t check user’s permissions whenever he makes any request to server. As we know, It’s not perfect solution, because it causes other problems like: time window when user loses his permissions, but the access token is still valid.
So, why did we apply above solution? It was designed to working like that to avoid asking Jira (rest api) everytime for user’s permissions when a user wants to do any action. We are aware that sometimes Jira can return 429 status what may cause temporary an app access denied.
And here comes the question, how did you design an authorization process in your application?
- Are you using custom jira permissions and check these permissions every incoming request or do you persist this information (e.g in access token)?
- maybe did you create own roles and this is just put in your database?
- or is there another approach which can be applied?