0

I am using IdentityServer4 Implicit flow for my Angular application. I have permissions claim added to scope list and also it gets populated properly. i need to update this claim value whenever i change the value in database.

currently, the claim value is refreshed only when access_token is refreshed/renewed.

I want to check/update claims on every call to api.

Fawad Ali Siddiqi
  • 421
  • 5
  • 16

1 Answers1

3

Two things:

  1. You are mixing authentication with authorization. The permission claims should not be present in the Access token. Please read here why. And read my answer here for some thoughts about a possible design.

  2. You can't change a JWT.

An access token contains information about the client and the user (if present). It is a self-contained code that can be decoded by the server only and has a certain lifetime.

Please note that the refresh token does not really refresh the access token, it creates a new token. The original token remains valid until it expires. An alternative is to use Reference Tokens.

  • Thanks, I will go through the links you have shared. actually, im using Reference Token and I'm getting the Claims from UserInforEnd points. Requirement ; User A has certain access rights (Read, Write, Delete). User logs in, gets his permissions (as a permission Claim value - Not recommended i guess but I'm using it for my scenario - I'm using IdentityServer as Authorization Server). Now If an administration removes his Delete permission, the claims are not updated until the token is expired the application gets a new access_token for the current user session. – Fawad Ali Siddiqi Sep 12 '18 at 11:50
  • currently I achieved this requirement by using IPersistedGrantService (RemoveAllGrantsAsync(SubjectId, ClientId) to revoke user access_token. whenever an admin changes a user claims RemoveAllGrantsAsync(SubjectId, ClientId) is called to revoke his access_token. – Fawad Ali Siddiqi Sep 12 '18 at 11:51
  • 1
    As an alternative, regardless of the kind of token, you can set the token expiration to a short period, like 5 minutes. In that case the changes become effective within 5 minutes, without having to revoke tokens. If the flow allows it, use refresh tokens for a good user experience. –  Sep 12 '18 at 12:29
  • 2
    And about IdentityServer, it is not for authorization, but authentication. **Who** is the user (identity)? Hence the name. It is not about authorization: **What** is the user allowed to do. Also, this is not what the UserInfoEndpoint is for. It should be used to request additional information about _who_ the user is. –  Sep 12 '18 at 12:34
  • If you create your own (authorization) API to retrieve authorization (making it independent from IdentityServer) then you are half way. Instead of calling the UserInfoEndpoint call your own authorization endpoint. –  Sep 12 '18 at 12:40