We are using DHIS2 as a backend for our infection tracking system. Currently, all user data is owned by our DHIS2 instance, together with user roles for authorization, as well as org units. However, we are looking to expand into other services that might depend on the user entity, and as such we want to extract the core “user” concept out of DHIS2 and into a separate service.
I have seen that both LDAP and OpenID can be used for authentication with DHIS2, but could not find any examples of integrating any type of authorization (not even accommodating LDAP authorization).
What currently seems to me like the best approach is to create some sort of adapter that uses the API endpoints in DHIS2 to propagate authorization information from the user service. However, I would love some input and thought on my problem, as well as my approach.