Consistent Frontend and Backend Authorization for GS1 Applications

GS1 is a neutral, global non-profit organization that develops and maintains the most widely used standards for business communication, most notably barcodes (like UPC and EAN). They enable businesses to uniquely identify, capture, and share information about products, locations, and assets, facilitating supply chain efficiency and e-commerce

The Challenge

GS1 has an Angular Single Page Application (SPA) that relies on access token claims to make authorisation decisions. These claims were sourced as part of a user's single sign-on authentication flow. The single sign-on solution had been augmented to fetch additional claims from GS1’s CRM, creating two growing concerns.

First, access tokens risked exceeding acceptable size limits as more CRM-derived attributes were added. Second, embedding dynamic, business-driven attributes into tokens was increasingly misaligned with current best practice for secure, scalable authorisation. Modern security wants to use a Zero-Trust architecture, not allow permissions to be bound to token lifetimes.

At the same time, there was a requirement to ensure that the front-end code enforced the same set of permissions as the API. Historically, this meant writing authorisation logic in two places, resulting in inconsistent policy.

GS1 needed to demonstrate a more robust zero-trust approach. One that removed CRM data from tokens, centralised authorisation decisions, and ensured that both the front end and API enforced the same rules without breaking the existing user experience. Finally, GS1 wanted to use standards-based solutions and was keen to adopt the recently approved AuthZen protocol.

The Solution

Rock Solid Knowledge worked with GS1 (a global, neutral non-profit organization that develops and maintains standards for business communication, most notably barcodes and unique product identifiers)  to design and deliver an Authorisation-as-a-Service proof of concept based on a GS1 Single Page Application. 

The approach introduced a dedicated authorisation service, backed by Rock Solid Knowledge’s Enforcer attribute-based access control engine (ABAC). Rather than enriching tokens, the application delegated authorisation decisions to this service. Where required, CRM attributes were fetched dynamically at decision time (Zero Trust).

Authorisation logic was abstracted away from application code and expressed as clear, testable ABAC policies. Policies were written in ALFA, a language that allows non-developers to understand the authorization decisions. Both the Angular front end and the .NET API were refactored to consume the same policies using the AuthZen protocol, ensuring consistent decisions across all layers.

Throughout, the solution respected existing application structure, avoided breaking changes, and demonstrated how policy-driven authorisation could be introduced incrementally.

What Was Delivered

• A high-level authorisation architecture separating authentication from authorisation
• Secured API endpoints enforcing access rights based on policy, not on long-lived access tokens
• Clear authorization abstractions for administration, dossier, and map functions
• Authorization policy written in a language that non developers can understand and agree on
• ABAC policies defined in ALFA, combining long-lived JWT claims, such as the subject with CRM-derived attributes
• A custom attribute value provider that retrieves role and status data from the CRM
• AuthZen-enabled authorisation service shared by front-end and API
• Refactored Angular guards, services, and components consuming centralised decisions
• A Zero Trust Architecture
• A multi tier application using consistent policy enforcement end-to-end

The Impact

• Eliminated the need to embed CRM attributes in access tokens
• Reduced security risk by enforcing authorisation at the API boundary
• Enabled Zero-Trust, permissions are not bound to token lifetimes
• Ensured front-end and API shared a single source of authorisation truth
• Improved maintainability through clear abstractions and testable policies
• Established a scalable foundation for future applications and access models

Why Rock Solid Knowledge

Rock Solid Knowledge brought deep experience in identity, access control, and standards-based authorisation. Its Enforcer ABAC engine and AuthZen expertise enabled GS1 to explore a modern, policy-driven model without disrupting existing systems.

By grounding the work in clear abstractions and open protocols, Rock Solid Knowledge reduced delivery risk and provided GS1 with a practical reference architecture for future identity and access initiatives.