Add missing OData controllers for auth models
Summary
Several auth models are missing corresponding OData controllers for management. These gaps prevent proper administration of the auth system.
Models Missing Controllers
High Priority (Core Functionality)
| Model | Purpose | Controller Needed |
|-------|---------|-------------------|
| ResourceClaim | Links resources to claim types they require/accept | ResourceClaimsController |
| ResourceUserClient | Allow-list of which user clients can access a resource | ResourceUserClientsController |
| ServiceCredential | API keys for service principals | ServiceCredentialsController |
Medium Priority (Access Control)
| Model | Purpose | Controller Needed |
|-------|---------|-------------------|
| FixedClaimValue | Allowed values for a claim type (like an enum constraint) | FixedClaimValuesController |
| RoleAssignmentRule | Defines which roles can assign other roles (delegated management) | RoleAssignmentRulesController |
Medium Priority (Organization Features)
| Model | Purpose | Controller Needed |
|-------|---------|-------------------|
| OrganizationDomain | Verified email domains for organizations | OrganizationDomainsController |
Implementation Pattern
Each entity should follow the established Controller-Service pattern:
Controller (A3T.API.Auth/Controllers/)
- Inherit from
ODataController - Use
[Authorize]with appropriate policies - Delegate to service for business logic
- Standard OData endpoints: GET (list/single), POST, PATCH, DELETE
- Enable OData query options ($filter, $select, $expand, $top, $skip)
Service (A3T.API.Auth.Data/Services/)
- Interface
I{Entity}Servicewith CRUD methods - Implementation
{Entity}Service - Inject
IAuthContext,IMapper,IUserContext,IAuthorizationEventService - Record authorization events for mutations
DTOs (A3T.API.Auth.Contracts/)
{Entity}Dtofor responsesCreate{Entity}RequestandUpdate{Entity}Requestfor mutations- Validators using FluentValidation
Test Requirements
Integration Tests (A3T.API.Auth.Tests/Integration/Controllers/)
For each controller, test:
- Authentication: Returns 401 without auth
- Authorization: Returns 403 without required role
- GET list: Returns collection with OData support
- GET single: Returns single entity
- POST: Creates entity successfully
- PATCH: Updates entity successfully
- DELETE: Deletes entity successfully
- OData queries: $top, $select, $filter work correctly
Unit Tests (A3T.API.Auth.Tests/Unit/Services/)
For each service, test:
- Authorization checks (admin-only, org-scoped access)
- Validation logic
- Edge cases and error paths
Deprecated Models (No Controller Needed)
- JoinRequest (replaced by Application/Invitation)
- Attribute, AttributeOption, UserAttribute, ClientAttributeSubscription
- SSO, Session
Recommended Implementation Order
- Phase 1: ResourceClaim, ResourceUserClient, ServiceCredential
- Phase 2: FixedClaimValue, RoleAssignmentRule
- Phase 3: OrganizationDomain
Acceptance Criteria
- [ ] Each controller follows Controller-Service pattern
- [ ] DTOs and validators in Contracts project
- [ ] Integration tests for all endpoints
- [ ] Unit tests for service logic
- [ ] Audit logging via AuthorizationEventService
- [ ] Proper authorization (admin-only where appropriate)
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗