I am using IdentityServer 6.1.1 with ASP.NET Core Identity
In this flow, I can programmatically add claims to the access token in the ProfileService based on the client's request of the resource api scope of "api1"
public Task GetProfileDataAsync(ProfileDataRequestContext context)
{
if (context.RequestedResources.Resources.ApiScopes.Any(s => s.Name == "api1"))
{
context.IssuedClaims.Add(new Claim("store_ids", "1"));
context.IssuedClaims.Add(new Claim("store_ids", "2"));
context.IssuedClaims.Add(new Claim("store_ids", "3"));
}
Over time, I have concerns about the JWT growing in size based on the complexity, requested resources, etc.
What is the preferred approach to handling authorization at the API, using IdentityServer, where I need to protect individual resources by id that would live in the claims table of ASP.NET Core Identity
Should I be injecting ApplicationDbContext in "api1" and accessing claims, roles, and policies at request runtime to evaluate which resources should be returned to the user instead of populating them in the access token?
Thanks!
