When claims.identityProvider is the default idp and requestIdentityProviderId is None then you're succeeding, but requestIdentityProviderId being None actually means that request idp validation failed.

I think this method should accept only valid requestIdentityProviderIds i.e. requestIdentityProviderId: IdentityProviderId

If requestIdentityProviderId is not provided - it's NOT an authorization problem, it will be validated out in the layer below. It is an invalid argument which will be validated further. Not sure how to act here to make sure proper layers are responsible for errors.

My understanding of this code is that in line 129 Left(AuthorizationError.InvalidIdentityProviderId(id)) is returned also requestIdentityProviderId is None.

Also, could it even be the case that requestIdentityProviderId is not provided? Because if it's the empty it actually means the default idp

Let me first define here what is what.

claims.identityProviderId is what is provided from the token. So two options here are possible:

1. default IDP (token is issued by the auth config defined in the default configuration)
2. non-default IDP having concrete value (as it is of type IdentityProviderId)

requestIdentityProviderId is what we extracted out from the request. Here we distinguish the following cases:

1. None, means identity_provider_id from the request which cannot be recognized/parsed. For example String with more than 255 chars, or having invalid characters.
2. Some value of non-default IDP which is equal to the IDP-ID of the token
3. Some value of non-default IDP which is NOT equal to the IDP-ID of the token
4. Default IDP (i.e. identity_provider_id was an empty string)

What is important to know with the authorization rules we have introduced:

1. A participant_admin may provide any arbitrary value as IDP-ID (i.e. requestIdentityProviderId does not matter) and authorization layer should not be restricting the admin (that is why if claims.identityProviderId == Default it is giving Right(())
2. An invalid IdentityProviderId, i.e. non-LedgerString, would give None for requestIdentityProviderId and authorization layer would allow to pass the filter (but currently only for non-Default IDP), as this is nothing to do with PERMISSION_DENIED error which can be issued here.

You're right with your statement that None gives InvalidIdentityProviderId. So PERMISSION_DENIED will be issued in the case of non-default IDP. I think I just have to fix it and pass it further to the business logic layer.

I think in general this highlights a bit broken design of the authorization layer. I don't like that in case of invalid request I'm passing things further and let it fail on the business logic. But doing it differently would break current pattern and will be much more work. Do you maybe have suggestions to improve that?

I would include parts of the justification in form of comment. Surely it is not the last time we will be looking at this code asking same questions as Pawel has

We need to document these new metrics in UNRELEASED.md

which execution context should this run on?

servicesExecutionContext ?

I would think so too