多租户spa应用程序和授权中的Identityserver和asp.net身份

Question

I have a spa application with a .net core 2 api. I would like to use identityserver 4 so that in future i can also provide a sso solution and allow access to my other api/applications. I have a database that contains the all user information (along with tenant information) for all tenants that identityserver4 will connect with. Each tenant has their own database for the spa application.

Should the api access token i get from identityserver contain role information in the claims and if so where are the roles set up(on the same database as the users or in the tenant specific databases? Im not sure on how to then know that those roles are for which api. for example if i request the api1 scope can i get back a list of roles for that user that are just for that scope and if i request api2 scope get back a different list of roles for that user etc.

The documentation on identityserver and the docs on microsoft appear to me to contradict the way to approach this.

Answer 1

Generally role based authentication is getting phased out when oidc/oauth2 is in place because of the exact conflict that you are describing. Unless all of your web applications/api's will be respecting the central roles that you would define in your asp.net identity - then there is little to no benefit including them in the access token.

If you plan to have central role system that your other applications will respect and base their authorisation on - then I'd recommend setting the asp.net identity with Identity Server 4 in a single database, creating an Identity Resource for "roles" and including the user specific roles as a claim in the token when the "roles" scope is requested by the client.