Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Identity Server - Identity/Resource scope - How can client get resource claims about the user

Tags:

claims

identityserver3

I have read Dominik's blog post on authentication vs permission modeling using Identity Server (https://leastprivilege.com/2016/12/16/identity-vs-permissions/). Since I am mostly using role based authorization, I am fine using IdentityServer as authentication/authorization endpoint for different client and apis.

My question is how to model Identity and Resource scopes properly? Can client know which roles are allowed for the user on specific resource? If yes, can client know only the user roles for requested resources scopes (and not all roles for all scopes). As far as I understand the concept, if I request claims about the user via UserInfo endpoint, I am receiving claims which are filtered by claimTypes listed inside requested identity scopes. That means that if client requests roles scope (identity scope with role claimtype), UserInfo endpoint will respond with all role claims including other applications.

Let's take simple MVC example, where the MVC client communicates with API via REST. MVC client (client) uses Cookie/OIDC Auth middleware and requests: ResponseType = "id_token token", Scope = "openid profile api". The API (resource) uses IdentityServerBearerToken Auth middleware and demands: RequiredScopes = "api". The client has UI elements which should be visible based on api role. How can the roles be accessed from client, since the UserInfo endpoint will only return identity scope based claims? Should client ask the API (resource), which actions are possible? And based on the response show/hide UI elements?

Thank you for any help.

like image 830
sharppanda Avatar asked Apr 24 '17 07:04

sharppanda

1 Answers

So things are different between IdentityServer3 and IdentityServer4. My example below is based on IdentityServer4.

You need to do a few of things:

  1. define an IdentityResource that grants access to the role claim.
  2. Include that new IdentityResource in the client's AllowedScopes
  3. Have the client request your new IdentityResource as a scope.

So what I did was as follows:

Where I defined my resources:

new IdentityResource
{
   Name = "roles",
   UserClaims = { JwtClaimType.Role }
}

Defined my client as:

var client = new Client
{
  // .. other stuff
  AllowedScopes =
  {
    IdentityServerConstants.StandardScopes.OpenId,
    IdentityServerConstants.StandardScopes.Profile,
    "roles"
  }
}

And then used the the following in my javascript client:

new oidc.OidcClient({
  // .. other stuff
  scope: 'openid profile roles'
});

I was then able to see all the JwtClaimType.Role claims I'd added to the ClaimPrincipal in my javascript client.

like image 127
Chris Kemp Avatar answered Oct 21 '22 08:10

Chris Kemp
Sign in to Comment

Related questions

Redirect to Identity Server Login page from AngularJs http web api request
Refresh tokens using owin middleware and IdentityServer v3
Cannot Validate AccessToken with IdentityServer
Problems de-serializing System.Security.Claims.Claim
How to get access token from Identity Server by passing username and password?
CORS in Ajax-requests against an MVC controller with IdentityServer3-authorization
Using an Identity Server signing certificate in Azure
Too many OpenID.nonce cookies cause "Bad Request"
Identity Server 4 - Getting invalid_client error
How to enable sliding expiration in IdentityServer
Get IdentityServer3 to use existing user sql database
How to run IdentityServer and WebAPI in same project
Identity Server 3 refresh token expires before its expiration period set in the client configuration

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!