2

I have several applications and I'm setting up IdentityServer3 as my authentication and authorization server.

Some of applications cannot be accessed by all users....

Lets supose that:

  • User 1 can access app1, app4 and app5
  • User 2 can access app5 and App 2

So, how is the best way to make that rules work? Should I use Scopes? Or I'ts better use only claims?

Jedi31
  • 735
  • 1
  • 6
  • 22
  • I believe this is similar to the question posted here http://stackoverflow.com/a/35565260/1371639 – Karthik Mar 20 '16 at 21:19

2 Answers2

1

IdentityServer allows for custom validation of the requests via the ICustomRequestValidator interface. You can implement this and return an error to prevent a user from getting a token for a client.

Nerdroid
  • 13,398
  • 5
  • 58
  • 69
  • Hi, thanks for your response.... I've been looking for an example about this implementation and cannot find it... Do you have an example? – Jedi31 Mar 24 '16 at 15:47
  • @Jedi31 I can not find any sample either check the default implementation it might help you get started https://github.com/IdentityServer/IdentityServer3/blob/master/source/Core/Services/Default/DefaultCustomRequestValidator.cs – Nerdroid Mar 24 '16 at 20:44
1

I believe CustomRequestValidator is good only if you need to control user access to the app at identityServer level. But most of the time it is the app that decides whom to let in. it is like rephrasing your question to,

  • app1 can be accessed by User1
  • app4 can be accessed by User1
  • app2 can be accessed by User2
  • app5 can be accessed by User1 and 2

So using authorization rules based on Scopes and claims at the application level is good approach depending on your scenario.

rawel
  • 2,923
  • 21
  • 33
  • It may resolve my scenario. I was thinking if I can validate my access using claims. Like, I could create my identity using Asp.Net identity, and then use bearer tokens to authorize. I'm studying how can I do it... Do you think it's a good approach? – Jedi31 Mar 29 '16 at 02:41
  • I didn't get your comment clearly. How you authorize users to your application depend on application type you are developing. you will use bearer tokens to authorize if you are developing a WebApi. Different types of sample applications can be found here https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/Clients – rawel Mar 29 '16 at 03:26
  • OK... Sorry... I'm kind of a dummie yet kkkkkk... I can validate if an user can access my Asp,Net Mvc app. Now, I want user only execute an action if he had a specific claim. Reading the docs, I try to use hybrid flow... And right now... I'm in trouble... kkkkkk – Jedi31 Mar 29 '16 at 03:45
  • It seems you already get authenticated via identity server. To restrict access based on users and roles you need to look into '[authorize attribute](https://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute(v=vs.118).aspx)'. But if you need to authorize based on claims you may need to write your own authorize attribute. http://stackoverflow.com/questions/19363809/mvc5-claims-version-of-the-authorize-attribute – rawel Mar 29 '16 at 04:33