Answer the question
In order to leave comments, you need to log in
T
T
Tsiren Naimanov2020-09-10 07:25:26
Tsiren Naimanov, 2020-09-10 07:25:26
How does Identity Server 4 with AspNet Identity authorization work?
For example, the default IS4 config
public static class Config
{
public static IEnumerable<IdentityResource> IdentityResources =>
new IdentityResource[]
{
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
};
public static IEnumerable<ApiScope> ApiScopes =>
new ApiScope[]
{
new ApiScope("scope1"),
new ApiScope("scope2"),
new ApiScope("api1"),
};
public static IEnumerable<Client> Clients =>
new Client[]
{
new Client
{
ClientId = "client",
// no interactive user, use the clientid/secret for authentication
AllowedGrantTypes = GrantTypes.ClientCredentials,
// secret for authentication
ClientSecrets =
{
new Secret("secret".Sha256())
},
// scopes that client has access to
AllowedScopes = { "api1" },
},
// interactive ASP.NET Core MVC client
new Client
{
ClientId = "mvc",
ClientSecrets = { new Secret("secret".Sha256()) },
AllowedGrantTypes = GrantTypes.Code,
// where to redirect to after login
RedirectUris = { "https://localhost:5001/signin-oidc" },
// where to redirect to after logout
PostLogoutRedirectUris = { "https://localhost:5001/signout-callback-oidc" },
AllowOfflineAccess = true,
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"api1"
}
},
};
}For example, I have a separate web server where there is
const string policyAdmin = "WebAppMvc.Policy.Admin";
o.AddPolicy(policyAdmin, policy => {
policy.RequireClaim(policyAdmin, policyAdmin);
});And also I want to separate access by AspNet Identity roles
for example:
Administration - [Authorize(Policy = Permission.Admin)]
Dashboard - [Authorize(Roles = "Manager")]
To do this, I have to do
/// Config.IdentityResources
new IdentityResource("webApp", new List<string>{ "Admin"})
/// Config.ApiScope
new ApiScope("webApp"),
/// Config.Client
new Client
{
ClientId = "webApp",
ClientSecrets = { new Secret("secret".Sha256()) },
AllowedGrantTypes = GrantTypes.Code,
// where to redirect to after login
RedirectUris = { "https://localhost:5061/signin-oidc" },
// where to redirect to after logout
PostLogoutRedirectUris = { "https://localhost:5061/signout-callback-oidc" },
AllowOfflineAccess = true,
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"webApp",
}
},and client configuration
services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies")
.AddOpenIdConnect("oidc", options =>
{
options.Authority = "https://localhost:5051";
options.ClientId = "webApp";
options.ClientSecret = "secret";
options.ResponseType = "code";
options.SaveTokens = true;
options.Scope.Add("webApp");
options.Scope.Add("offline_access");
});3 main models:
IdentityResource - user settings?
Apiscope - what is it? some allowed area?
Client - any application for interaction with identity
Plus AspNetCore Identity is added
How I understand roles are simply added as claims?
Similar questions
R
I
N
Nikolay Erofeev2016-01-07 19:42:26
How to check if the user is authorized on the site via oAuth?
1Reply
S
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question