2

We want to set up a general authentication service, making use of IdentityServer4, where we define a set of users that can have access to one or more api's.

Users will be globally defined, but can only have access to specific api's.

Maybe I'm missing something, but this doesn't seem to be supported. If a user is authenticated and receives an access token, he can access all api's.

I've read the blog post https://leastprivilege.com/2016/12/16/identity-vs-permissions/ and I fully understand and agree that authorization should be handled in the client application itself, but this first level of checking if a user can access an api seems trivial to me.

I worked with Azure AD and ADAL before, and in Azure AD it is possible to define for an application (=resource in IdentityServer4 terminology) which users can access it. When requesting a token you specify the resource you want to access and if the user has no access to it, no access token is returned.

Can anyone tell me what is the proper way to set this up? Most of our applications are Angular SPA applications so we use the implicit flow.

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
gsharp
  • 71
  • 8
  • The identity service is the wrong place to do user authorization. If you absolutely want that you could implement a custom authorize request validator to do additional checks. – leastprivilege Jan 07 '18 at 14:48

3 Answers3

1

I would suggest some high level idea you do it this way,

  1. Authenticate users and make sure it returns with access_token and certian claim information
  2. Define the authorization rules in your data store or somewhere you can read that can map the claims to permissions/attributes.
  3. Now write a authorization logic or service where you can map the valid permissions from step 2 and seek for permissions.

This you keep your identity and authorization clean and separate and only update the rules on application as needed to map the general permissions

Sohan
  • 6,252
  • 5
  • 35
  • 56
0

You scan set up different clients with access to different APIs the users just authenticate the client and they have access to that API. This isnt going to prevent user1 from authenticating to an api you dont want them accessing.

You can also set up user claims and policy to prevent different users from accessing different apis. Something like this would ensure that only users who are at least 21 years old would be able to access this api.

[Authorize(Policy = "AtLeast21")]
public class AlcoholPurchaseController : Controller
{
    public IActionResult Login() => View();

    public IActionResult Logout() => View();
}

More info can be found here Custom policy-based authorization

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
0

The proper way is to either use Policy-based or Role-based authorization.

Identity server is doing the authentication (checking if the client is registered, if it is allowed to access the requested scopes, authenticates the user, and gives him claims) but it is up to your application (the client) to authorize the user (based on the roles in the claims, either allow or don't access to a certain method).

You have an option when authenticating against IDS to check the clientID and the user, and write some custom Profile Service where you can apply some rules and reject the user.

m3n7alsnak3
  • 3,026
  • 1
  • 15
  • 24