实施自己的身份验证/身份服务

Question

So I've been reading up a lot about authorisation and authentication.. and now I'm confused as i'm not sure what would be the best and appropriate tools to use.

Let me give you a little bit of a background.

I'm trying to create a multi-tenant application which would consist of 3 services, these are:

• Tenant service (defines the tenants which exist and defines their scopes ie what apis they're allowed to use)
• Identity service (issues out tokens for users defining the roles of users and the tenant the user belongs to)
• Application service (bundle of apis to perform specific business logic)

The problems i'm experiencing with creating an identity service are:

• Some api's have restricted access for different tenants. Which means a user belonging to a tenant which only has permissions to make calls to the Product api shouldn't be allowed to make calls to other api's
• Some api's should have restricted access for different user roles. Meaning a user with the role admin can make any api request (providing that the tenant they belong to also has access to that api) whilst a user with a different role may have limited api access.

I've thought about using Identity Server 4 but I don't like the idea of not being able to customize your own routes for endpoints. Atleast, creating my own service would allow me such customization should I require to change logic in the future.

So far, I've created the ability to request an access token with the below code:

    [HttpPost]
    public async Task<IActionResult> Token([FromHeader(Name = "client_id")] string tenantId, [FromBody] LoginRequest request)
    {
        var applicationUser = await _userManager.GetUserAsync(tenantId, request.email);
        var result = await _signInManager.PasswordSignInAsync(applicationUser, request.password, true, false);

        var claimsIdentity = new ClaimsIdentity(new Claim[]
        {
            new Claim("userId", applicationUser.Id),
            new Claim("tenantId", tenantId),
            new Claim("email", request.email)
        });

        // Add claims of the user from the data soruce
        claimsIdentity.AddClaims(await _userManager.GetClaimsAsync(applicationUser));

        var key = Encoding.ASCII.GetBytes("3ce1637ed40041cd94d4853d3e766c4d");

        var token = new JwtSecurityToken(
            claims: claimsIdentity.Claims,
            expires: DateTime.Now.AddMinutes(1),
            signingCredentials: new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
        );

        var jwtToken = new JwtSecurityTokenHandler().WriteToken(token);
        return Ok(new LoginResponse { AccessToken = new AccessToken { Token = token, ExpiresIn = 200 }});
    }

Again, because I'm new to authorisation and authentication I'm not sure whether my request token call should demand a grant_type ?

I'm not sure whether the tenantId provided from the request header should be a client_secret

And, I'm not sure what sort of information should be encrypted into a refresh_token before being given to the user and stored against the user.

Honestly, any advice would be helpful right now as I've been stuck for days. If you have any suggestions on what should be done or what tools to use then please let me know

Answer 1

as you are saying it's a multi tenant application with different roles, I think the best choice will be the identity server 4.

you can customize it as per your needs and there is lot of help available online to setup

writing your own authentication is a bad idea

1. takes lot of time
2. might not be secured
3. yout may not find support if you face issues