3

I am implementing IdentityServer4 for client. Here i am bit confused in generating and setting claims, in ProfileService .

Scenario:

1) Users can belongs to multiple companies.

2) Users can have one role in one company.

3) User can have different roles in different companies.

E.g. User => Alice belongs to companyX and companyY.

a) Alice has role 'Admin' in companyX

b) Alice has role 'User' in CompanyY

Issue: What is the best way to set claims.? How at client side. i can determine which user role belongs to which companyid. if i am setting claims separately like

new Claim("name", "Alice"),
new Claim("Role","Admin"),
new Claim("Role","Cat"),
new Claim("Comp","1"),
new Claim("Comp","2"),

another approach could be to set claims like.

new Claim("name", "Alice"),
new Claim("Company_Role","1_Admin"),
new Claim("Company_Role","2_Cat"),

I am not sure if this is the best approach. Can anyone suggest me.?

Irfan Jamil
  • 93
  • 7

1 Answers1

0

There are a few downsides to issuing claims this way:

  • If the permission (role) changes, the claim value in the token is not updated automatically.
  • Every claim gets added to a token, which is sent in every request. This will increase the length of a request.
  • If you have more than one system the role value can have a different meaning.

Remember: Claims represent a user (identity), not what he/she is allowed access to. Ideally you would request permissions from an API.

If you decide to go for this solution you should try to minimize the issued claims as much as possible. Like Company_roleX: ClaimValueX

user1336
  • 6,435
  • 2
  • 27
  • 34