1

I created a basic IdentityServer4 as per tutorials http://docs.identityserver.io/en/release/quickstarts/0_overview.html. This consists of APIserver, JSClient and ID4 Server.

OVerall all is good, now i am trying to go one step further, I want to create a basic controller in ID4Server called AuthorizedUserController that is restful, and that can only be accessed by Authorised user from JSClient.

I cannot find any examples on how to achieve this currently so hoping for some guidance.

Aeseir
  • 7,754
  • 10
  • 58
  • 107
  • I would go for a seperate API, check my answer here: https://stackoverflow.com/questions/48645644/identity-server-4-and-web-api-for-user-management/48654219#48654219 –  Feb 07 '18 at 03:32
  • Can you clarify? My api is separate to ID4 server – Aeseir Feb 07 '18 at 04:20
  • 1
    Do not make Ids4 restful, but split functionality. Leave Ids4 for authentication. Create a new API and put the basic controller there. Treat is as another resource (one that in this case has access to the IdentityModel). –  Feb 07 '18 at 09:40

1 Answers1

3

You could make IdentityServer include bearer token authentication:

services.AddAuthentication()
    .AddIdentityServerAuthentication("bearer", options =>
    {
        options.Authority = "you identityserver base url";
        options.ApiName = "identityserver_api";
    });

And then have an authorization policy that checks for the scheme and the client ID claim:

services.AddAuthorization(options =>
{
    options.AddPolicy("JsClient", config =>
    {
        config.AddAuthenticationSchemes("bearer");
        config.RequireClaim("client_id", "my javascript client");
    });
});

And then add an authorize attribute to your controller that specifies this authorization policy:

[Authorize("JsClient")]
Scott Brady
  • 5,498
  • 24
  • 38
  • Funnily enough i discovered this by chance at same time i posted the question. About 80% same as mine. – Aeseir Feb 08 '18 at 04:41