Configuring User Authorization in Client Applications
Asked Answered
S

1

7

Background Explanation

When it comes to Identity Server 4, I come to a road block when i think about the design of user management in the client applications.

At this point, I have Identity Server setup using ASP Identity User Accounts as its user store.

I've built the UI for adding users to the Identity Server User Store.

I've tested setting up a client which is an MVC application, and I'm at the point where i can successfully authenticate with Identity Server and receive the openid identity token in my client application.

Identity Server is providing my client application with authentication.

Now, i need to concentrate on authorization within my app. This is where i get stuck, I need to create users local to the application, where user privileges within the application are stored.

I will need to link / associate the user in Identity Server to the user in the client application.

One way to do this would be to store the sub in the identity token as a user claim in the client application database (Asp Identity). This way, when a user authenticates i can locate them in the local db, based on the sub in the token.

The sub would have to be the user's unique id in the identity server user store. This way, if the user's email is changed, we can still link the two user accounts.

The user accounts in the client application wouldn't require passwords or email addresses, it would be purely claims and roles that are used for authorization across the application, as well as any other application specific information.

Question

Communication between Identity Server and the client application must need to exist when creating users in the client application?

  • We need to associate the two accounts?
  • We need to ensure that the client user account being created also has an Identity Server user account to be successfully authenticated?

When in the process should these tasks be complete? Im looking for some guidance in the flow of the communication between the two applications?

EDIT

Is it feasible that there are no User Accounts in the client application at all?

By this i mean that all user claims for a user are stored in the User store of Identity Server.

When a client authenticates with the IDP it requests only the user claims that are specific to the client application.

Example user claims in the User Store :-

  1. "clientA_role" : "administrator"
  2. "clientB_role" : "user"

When Client Application A authenticates, it requests only the scope clientA_role

This feels bad!

Any suggestions?

Schwarzwald answered 14/12, 2017 at 11:10 Comment(1)
Derek, have you found a good way to do application authorization logic?Smoothbore
R
1

If you have many client applications then the way I recommend to do the user management is:

User Management Service:

Create a separate service for users management that identityserver will use as user store and applications will use as user repository when user metadata is needed.

Also why would you do something like:

Example user claims in the User Store :-

"clientA_role" : "administrator"

"clientB_role" : "user"

why not just "roles": "user"? and in your application you will protect your resources using Authorize[Role] annotation.

do not create different fields for different applications, think of it as general user management service, I am pretty sure that standardizing your identity management will make it easier and will gain you maintainability and flexibility.

IdentityServer service handles identity management:

might be a good idea to keep user store inside the same service providing authorization if you feel that your application does not have such deep users management needs.

again in this case, store standard claims and return the claims you need inside an id_token or access-token.

Update:

For a specific user that have different roles in different applications:

let us say we have the following:

1- User1 has user role in first app and admin role in second app, then

User1.Roles{"FirstAppUser","SecondAppAdmin"}

2- User2 has admin role in both apps, then:

User2.Roles{"FirstAppAdmin","SecondAppAdmin"}
Reniti answered 18/12, 2017 at 7:59 Comment(5)
A user might be an administrator in one client application, and an administrator in another. So having a role claim would be insufficient across multiple applications. I've seen many example of using Identity Server in many basic scenarios. But a user, having access to multiple client applications, with one identity, i have not.Schwarzwald
in this case, use a role called superAdministrator or application1Admin and application2Admin, if you use the same role name for both applications and a user get token with Administrator role for application 1, how do you handle preventing him from accessing application 2?Reniti
apologies, i meant, as admin in one application, a user in another.Schwarzwald
in this case you will restrict the access of first application to "admin" and to "user" in second applicationReniti
by using two different claims?Schwarzwald

© 2022 - 2024 — McMap. All rights reserved.