Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Configuring User Authorization in Client Applications

Background Explanation

When it comes to Identity Server 4, I come to a road block when i think about the design of user management in the client applications.

At this point, I have Identity Server setup using ASP Identity User Accounts as its user store.

I've built the UI for adding users to the Identity Server User Store.

I've tested setting up a client which is an MVC application, and I'm at the point where i can successfully authenticate with Identity Server and receive the openid identity token in my client application.

Identity Server is providing my client application with authentication.

Now, i need to concentrate on authorization within my app. This is where i get stuck, I need to create users local to the application, where user privileges within the application are stored.

I will need to link / associate the user in Identity Server to the user in the client application.

One way to do this would be to store the sub in the identity token as a user claim in the client application database (Asp Identity). This way, when a user authenticates i can locate them in the local db, based on the sub in the token.

The sub would have to be the user's unique id in the identity server user store. This way, if the user's email is changed, we can still link the two user accounts.

The user accounts in the client application wouldn't require passwords or email addresses, it would be purely claims and roles that are used for authorization across the application, as well as any other application specific information.

Question

Communication between Identity Server and the client application must need to exist when creating users in the client application?

  • We need to associate the two accounts?
  • We need to ensure that the client user account being created also has an Identity Server user account to be successfully authenticated?

When in the process should these tasks be complete? Im looking for some guidance in the flow of the communication between the two applications?

EDIT

Is it feasible that there are no User Accounts in the client application at all?

By this i mean that all user claims for a user are stored in the User store of Identity Server.

When a client authenticates with the IDP it requests only the user claims that are specific to the client application.

Example user claims in the User Store :-

  1. "clientA_role" : "administrator"
  2. "clientB_role" : "user"

When Client Application A authenticates, it requests only the scope clientA_role

This feels bad!

Any suggestions?

like image 306
Derek Avatar asked Dec 14 '17 11:12

Derek


1 Answers

If you have many client applications then the way I recommend to do the user management is:

User Management Service:

Create a separate service for users management that identityserver will use as user store and applications will use as user repository when user metadata is needed.

Also why would you do something like:

Example user claims in the User Store :-

"clientA_role" : "administrator"

"clientB_role" : "user"

why not just "roles": "user"? and in your application you will protect your resources using Authorize[Role] annotation.

do not create different fields for different applications, think of it as general user management service, I am pretty sure that standardizing your identity management will make it easier and will gain you maintainability and flexibility.

IdentityServer service handles identity management:

might be a good idea to keep user store inside the same service providing authorization if you feel that your application does not have such deep users management needs.

again in this case, store standard claims and return the claims you need inside an id_token or access-token.

Update:

For a specific user that have different roles in different applications:

let us say we have the following:

1- User1 has user role in first app and admin role in second app, then

User1.Roles{"FirstAppUser","SecondAppAdmin"}

2- User2 has admin role in both apps, then:

User2.Roles{"FirstAppAdmin","SecondAppAdmin"}
like image 111
Yahya Hussein Avatar answered Sep 22 '22 23:09

Yahya Hussein