I am wondering if/how I can dynamically loaded claims for a client (instead of a user) under IdentityServer4. For my MVC client apps, I can use IdentityServer4's IProfileService API to dynamically load claims for a user, and that works great. But I need to do the same to my server-to-server client app (client credential grant type) which IProfileService API functions doesn't seem to cover. Can this be done? If so, now?
Asked
Active
Viewed 271 times
2 Answers
0
Maybe you can try this way:
whit Clients loaded from code:
public static IEnumerable<Client> GetClients()
{
return new List<Client>
{
new Client
{
ClientId = "Application1",
ClientName = "Application1",
....
AllowedScopes = { "application1.api.full_access"}
AccessTokenLifetime = 1800,
IdentityTokenLifetime = 1800,
Claims = new Claim[]
{
new Claim("Role", "admin"),
new Claim(JwtClaimTypes.Name, "JwtClaimTypes.Name"),
new Claim(JwtClaimTypes.Role, "JwtClaimTypes.Role")
}
}....
}
with Clients loaded via appsettings.json:
"Clients": [
{
"ClientId": "Application1",
"ClientName": "Application1",
"Enabled": true,
"Claims": [
{
"Type": "role",
"Value": "admin"
},
{
"Type": "name",
"Value": "myapp"
}
],
....
}
]
AngelBlueSky
- 575
- 4
- 10
-
Thanks but that is not going to work for us. We are using an extended EF model on SQL Server for IdentityServer data store. For users, we have a Persmissions table tied into AspNetRoles table. At runtime, our IDS dynamically load permissions as claims into the user's token. That's working perfectly for us now. We just want to do the same for clients (instead of users) now - tie the Permissions table to the Clients records and dynamically load permissions as claims. I am just not sure if that's possible. – Alexu Jan 06 '22 at 20:44
-
Hi, not sure if this can help. https://identityserver4.readthedocs.io/en/latest/quickstarts/5_entityframework.html, there's a table for Clients and ClientClaims in which you can save your permissions as claims. – AngelBlueSky Jan 06 '22 at 21:18
-
The permissions should be standard and should be shared by different entities (roles, clients, etc.). We try not to add permissions directly into ClientClaims table, and then duplicate them in AspNetRoleClaims table, and on and on... That would be a maintenance nightmare. – Alexu Jan 06 '22 at 21:32
-
Last chance. In Startup Class -> ConfigureServices: services.AddIdentityServer() .AddApiAuthorization
(options => { IdentityServer4.Models.Client client = options.Clients.Where(client => client.ClientName == "Foo").FirstOrDefault(); client.Claims.Add(new IdentityServer4.Models.ClientClaim("role", "admin")); }); – AngelBlueSky Jan 07 '22 at 14:07 -
Thanks again but sorry, that doesn't solve my problem either. What I need here is a way to dynamically load claims for clients of client-credential grant type. Pre-defined claims can't help me here. For user identity, this is supported by IdentityServer4 through IProfileService API, where you can create custom claims and load them into the access_token for the user. But for apps without user, there seems to be no way of doing that. – Alexu Jan 07 '22 at 22:56
-
What about a ClientStore: https://www.learmoreseekmore.com/2021/07/identityserver4-protect-api-with-clientcredentials-implementing-iclientstore-and-iresourcestore.html https://stackoverflow.com/questions/43894146/identityserver4-add-custom-default-claim-to-client-principal-for-client-credent https://docs.identityserver.io/en/latest/topics/clients.html – AngelBlueSky Jan 10 '22 at 08:09
-
It's a good tutorial. But ClientStore is just part of the standard EF model for data store in IdentityServer4, instead of using in-memory configuration. It's still pre-configured scopes (just stored in database), not dynamically created scopes. I think the bottom-line here is IdentityServer4 configuration is not going to help. I need extension APIs, something like IProfileService but for clients, instead of users. That's what I think. – Alexu Jan 10 '22 at 21:16
0
I have solved this problem by implementing
public class MyClaimService : DefaultClaimsService
By overriding the GetAccessTokenClaimsAsync function of this class, I can add my custom claims into the token. And unlike IProfileService, which only apply to identitys, this function apply to clients (apps) as well.
Alexu
- 1,015
- 2
- 12
- 32