0

I have implemented OpenId Connect for authorizing my multi tenant app, I have obtained both the Id Token and the access token. The access token does not contain any claims, but I would like to access user specific resources in the web api.

For example, in order for a user to access a certain resource, 1. They must be a tenant admin and 2, they must have permission for that resource (say a specific job post).

My questions.

  1. Do I send the user permissions to the webapi in the request body/query and the webapi trust those permissions?

  2. Should I use the access token to call the Identity Server to get the user information, then proceed if the user has the permissions?

  3. Any other options?

Smith Waliko Msiska
  • 71
  • 8

2 Answers2

1

You can always add the necessary user claims inside the access token, and by doing that, you don't have to pass that information separately. You use ApiScopes and APiResources to control what user claims that goes into the access token.

See my answer here: ApiResource vs ApiScope vs IdentityResource

To complement this answer, I write a blog post that goes into more detail about this topic: IdentityServer – IdentityResource vs. ApiResource vs. ApiScope

Tore Nestenius
  • 16,431
  • 5
  • 30
  • 40
0

Since I control the auth server, I included some claims for identifying the user in the access token.

Smith Waliko Msiska
  • 71
  • 8