0

I have 3 applications:

  • An IdentityServer4 API which provides Google authentication and also provides an access token to authorize the resource API.
  • A simple Resource API which provides some data from DB.
  • A simple Client in React which have 4 buttons:
    • Login, for Google auth
    • Logout
    • Get data - a simple request with the access token to the Resource API and gets the data from Db
    • Get user data - returns user profile and token (for debug purpose)

I didn't put any sample code because my problem is not code related, it's knowledge that I'm missing and I ask for guidance.

The workflow is working just fine: the user press the Login button, it is redirected to IdentityServer4 API for Google Auth. From there it is redirected to a Callback Page from the Client and from there to the Index page. I receive the user data and the token, I can request data from the Resource API and it's working.

My problem is: How do I give a Role to the Google Users ? I don't have users saved in DB. I want three types of Users: SuperAdmin, Admin, Viewer and each of these roles have limited Endpoints which can access.

For limiting their access I saw that I can use Claims-based authorization or Role-based authorization.

So, my question is how ca I give a Google User who wants to login in my app, a specific Claim/Role ? What is the workflow ? I must save it first in DB ? Or there exists a service from Google where I can add an email address and select a Role for that address ?

Thank you very much !

Adrian Tocu
  • 189
  • 1
  • 12

1 Answers1

1

After you get the response from Google in your callback you can handle the user and do what ever you want to do with it. Below are the some typical tasks that you can do in callback that I took from documentation page of identityserver4 link:

Handling the callback and signing in the user

On the callback page your typical tasks are:

  • inspect the identity returned by the external provider.
  • make a decision how you want to deal with that user. This might be different based on the fact if this is a new user or a returning user.
  • new users might need additional steps and UI before they are allowed in.
  • probably create a new internal user account that is linked to the external provider.
  • store the external claims that you want to keep.
  • delete the temporary cookie
  • sign-in the user

What I would do is creating an new internal user account that is linked to the external provider and add a role to that user.

If you don't want to save users in db, you can add an extra claim to user in callback method and use that claim in token. and i think this link will help with that.

Dharman
  • 30,962
  • 25
  • 85
  • 135
Ylli Bala
  • 26
  • 3
  • I like your suggestion to create an internal user account that is linked to the external one. But I think this will generate an issue: if I want to give a role to a user, that user must log in first, because I can't set a role to an user that is not in DB. Am I right ? Is there a way to give a role to a user, before he log in the application ? – Adrian Tocu Dec 21 '21 at 14:31
  • If you create an internal user, you cant do it without putting it on DB. When you are creating local user in DB in callback method there you set the role too, so when the token is generated it will have role inside(if it has the scope 'role' registered for client). When is not local user in callback add extra claim to user with the name role and specify the role. – Ylli Bala Dec 22 '21 at 09:27
  • Ok, the user can be any model, or it must inherit a specific class like IdentityUser class ? – Adrian Tocu Dec 22 '21 at 10:57
  • Yes in both cases it should be IdentityUser(or any child class), because the UserManager and SignInManager class needs it. – Ylli Bala Dec 22 '21 at 11:41
  • Understood. I was thinking to use a custom UserManager, not the one that .NET Identity provides. But it's something that I don't fully understand. You said about SignInManager, as far as I know this is a class from AspNetCore and I din't use it until now. For sign in the user I used HttpContext.SignInAsync() method. As far as I understand until now, is that I must combine Identity Framework with IdentityServer4 ? – Adrian Tocu Dec 22 '21 at 12:58
  • I think that would be the easiest way because you would not need to implement your own implementation. – Ylli Bala Dec 22 '21 at 16:47