Add missing OData controllers for auth models

Resolved 💬 2 comments Opened Jan 23, 2026 by AlpineJBoehnen Closed Jan 23, 2026

Summary

Several auth models are missing corresponding OData controllers for management. These gaps prevent proper administration of the auth system.

Models Missing Controllers

High Priority (Core Functionality)

| Model | Purpose | Controller Needed |
|-------|---------|-------------------|
| ResourceClaim | Links resources to claim types they require/accept | ResourceClaimsController |
| ResourceUserClient | Allow-list of which user clients can access a resource | ResourceUserClientsController |
| ServiceCredential | API keys for service principals | ServiceCredentialsController |

Medium Priority (Access Control)

| Model | Purpose | Controller Needed |
|-------|---------|-------------------|
| FixedClaimValue | Allowed values for a claim type (like an enum constraint) | FixedClaimValuesController |
| RoleAssignmentRule | Defines which roles can assign other roles (delegated management) | RoleAssignmentRulesController |

Medium Priority (Organization Features)

| Model | Purpose | Controller Needed |
|-------|---------|-------------------|
| OrganizationDomain | Verified email domains for organizations | OrganizationDomainsController |

Implementation Pattern

Each entity should follow the established Controller-Service pattern:

Controller (A3T.API.Auth/Controllers/)

  • Inherit from ODataController
  • Use [Authorize] with appropriate policies
  • Delegate to service for business logic
  • Standard OData endpoints: GET (list/single), POST, PATCH, DELETE
  • Enable OData query options ($filter, $select, $expand, $top, $skip)

Service (A3T.API.Auth.Data/Services/)

  • Interface I{Entity}Service with CRUD methods
  • Implementation {Entity}Service
  • Inject IAuthContext, IMapper, IUserContext, IAuthorizationEventService
  • Record authorization events for mutations

DTOs (A3T.API.Auth.Contracts/)

  • {Entity}Dto for responses
  • Create{Entity}Request and Update{Entity}Request for mutations
  • Validators using FluentValidation

Test Requirements

Integration Tests (A3T.API.Auth.Tests/Integration/Controllers/)

For each controller, test:

  • Authentication: Returns 401 without auth
  • Authorization: Returns 403 without required role
  • GET list: Returns collection with OData support
  • GET single: Returns single entity
  • POST: Creates entity successfully
  • PATCH: Updates entity successfully
  • DELETE: Deletes entity successfully
  • OData queries: $top, $select, $filter work correctly

Unit Tests (A3T.API.Auth.Tests/Unit/Services/)

For each service, test:

  • Authorization checks (admin-only, org-scoped access)
  • Validation logic
  • Edge cases and error paths

Deprecated Models (No Controller Needed)

  • JoinRequest (replaced by Application/Invitation)
  • Attribute, AttributeOption, UserAttribute, ClientAttributeSubscription
  • SSO, Session

Recommended Implementation Order

  1. Phase 1: ResourceClaim, ResourceUserClient, ServiceCredential
  2. Phase 2: FixedClaimValue, RoleAssignmentRule
  3. Phase 3: OrganizationDomain

Acceptance Criteria

  • [ ] Each controller follows Controller-Service pattern
  • [ ] DTOs and validators in Contracts project
  • [ ] Integration tests for all endpoints
  • [ ] Unit tests for service logic
  • [ ] Audit logging via AuthorizationEventService
  • [ ] Proper authorization (admin-only where appropriate)

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗