I am using .Net Framework Web Api and .Net Core Web Api with authorize attribute with roles. I'm trying to understand how identity server handles users with role based api resources and a user calling an api resource from say postman. I would think you would get a bearer token for the user using the connect/token endpoint, however if I create a client and setup for no client secret and set the grant type to password I am able to retrieve a token from the connect/token endpoint, but it does not include the user claims or roles. It just has the scope for the client and the user sub - nothing else. What is the proper way to use identity server to allow for a user to call an api that is looking for a role for access to the api endpoint? Also the client credentials is also something that I'm not sure how to use with role based access, is it best practice to just add role claims to the client?
Asked
Active
Viewed 558 times
-1
-
Does this answer your question? [IdentityServer4 Role Based Authorization for Web API with ASP.NET Core Identity](https://stackoverflow.com/questions/53976553/identityserver4-role-based-authorization-for-web-api-with-asp-net-core-identity) – Dec 29 '19 at 15:16
-
I’ll take a look thanks for the link. – dport007 Dec 30 '19 at 21:10
1 Answers
0
You can implement IProfileService, by which you can include role as claim into the token and verify authorization at API resource end.
More details: http://docs.identityserver.io/en/latest/reference/profileservice.html
But, IdentityServer serve purpose of authentication not authorization of user. Better we keep both separate.
PradipB
- 87
- 1
- 9