2

I plan to use IdentityServer 4 on ASP.NET Core with ASP.NET Identity as the data store. This is the first time I use a central authentication/authorization and I am wondering how to solve the following question:

Assume I have users with claims like name, role etc. and a Web API (scope) that allows these users access to measured values from hardware devices. IdentityServer will allow me to authenticate known users but now I need an access control that knows which users may access which device data.

Where do I store this information? Since it is specific to the scope I guess it should not be stored in the IdentityServers store. On the other hand, if I store it in the scopes own database I somehow need to connect it to the users defined in the IdentityServers store. Should I define user IDs that are unique to all scopes and IdentityServer?

4

2 回答 2

2

You will need to correlate the User Ids that IdentiyServer returns with users defined in the scope's database.

I believe that there is a User table and a UserLogin table where you could track the different logins for each of your users.

Then, in the scope's database, you can then specify which users have access to what device data.

于 2016-09-23T00:12:56.337 回答
1

This is a bad idea and will probably lead you down a road that you should not.

This means that your client application requesting the scopes will need to know which user has access to which scopes even before requesting a token from your IDP (otherwise your token request will not work). Rather model these as user claims. Then on your WebApi you can do normal claim based authorization.

于 2016-09-26T06:29:06.103 回答