3

Scenario 1: Assume I have angular client with implicit grant type. I am also using asp.net identity to log in with database users. I log in as user Bob. I access my list of cars. For each car I have an option to edit my car. Each row has edit button and id of car.

Example of get url in each row: http://localhost:5000/cars/id/1

Let's say I enter randomly some id of car: http://localhost:5000/cars/id/345 which is someone else's user car.

How does identity server protects other user data in this situation?

Scenario 2: let's have identity manager set up with identity server openid authentication. Which username and password are we authenticating to gain access identity manager to manage users ? If it is user from aspnet identity database then every user inside there can access identity manager...?

sensei
  • 7,044
  • 10
  • 57
  • 125

2 Answers2

1

They don’t. It’s not responsibility of Identity Server. Identity server main responsibility is to take care of Authentication.

Tomas
  • 675
  • 8
  • 17
0

Scenario 1

Authorization is not part of identity server except for basic client/scope based authorization defined in OAuth. Identity server just handles the authentication part. Have a look here for implement authorization on an asp.net core app. https://learn.microsoft.com/en-us/aspnet/core/security/authorization/resourcebased

Basically, Identity server gives the user identity. So you can validate if that user has access to the given resource.


Scenario 2

You can define users with certain role claim(e.g. Role:IdentityManagerAdministrator) in your user store, and validate if the logged in user has that role in identityManager. see Secure IdentityManager with IdentityServer3

Community
  • 1
  • 1
rawel
  • 2,923
  • 21
  • 33
  • where can I find a framework that handles authorization/permission management? Did someone build this on top of IdentityServer? – Ken Vernaillen Apr 04 '18 at 23:57