0

I'm trying to understand the IdentityServer mechanism for the authentication and authorization. suppose we have 3 types of clients (apps), each one has its own user-role permission policies (i.e for showing/hiding the menus).

So, in the idp world, Where does the authorization logic goes? is that the client's responsibility or idp?

I think that the idp just authenticates the user, then redirects him/her to the client, after that, the client must handle all the authorization tasks (show/hide menus based on the local user-roles database). the user is working with the client till he/she wants to logout. again, he/she (the client on behalf) has to communicate with idp.

in summary, I mean I have a User, Roles, and UserRoles tables in each client's databases separately to handle the local authorization logic? Is that correct?

TheMah
  • 378
  • 5
  • 19
  • Does this answer your question? [Is claims based authorization appropriate for individual resources](https://stackoverflow.com/questions/52079466/is-claims-based-authorization-appropriate-for-individual-resources) –  Mar 19 '20 at 04:22
  • @RuardvanElburg thanks Ruard but that doesn't. I'm confusing with "handling the local authorizations in IdentityServer4" – TheMah Mar 19 '20 at 12:01
  • In the setups I have seen each application should have its own roles.The identity server should just authenticate the user.Each application would store its own roles and do authorisation. While it's possible to do this all in identity as the number of applications scales it becomes almost impossible to manage. Users can have different roles in each app. – TheBeast Dec 15 '22 at 19:23

0 Answers0