How do identityserver permissions work?
Question
Scenario 1: Assume I have angular client with implicit grant type. I am also using asp.net identity to log in with database users. I log in as user Bob. I access my list of cars. For each car I have an option to edit my car. Each row has edit button and id of car.
Example of get url in each row: http://localhost:5000/cars/id/1
Let's say I enter randomly some id of car: http://localhost:5000/cars/id/345 which is someone else's user car.
How does identity server protects other user data in this situation?
Scenario 2: let's have identity manager set up with identity server openid authentication. Which username and password are we authenticating to gain access identity manager to manage users ? If it is user from aspnet identity database then every user inside there can access identity manager...?
1 answers
solution1
0 2017-05-07 23:38:37
Scenario 1
Authorization is not part of identity server except for basic client/scope based authorization defined in OAuth. Identity server just handles the authentication part. Have a look here for implement authorization on an asp.net core app. https://docs.microsoft.com/en-us/aspnet/core/security/authorization/resourcebased
Basically, Identity server gives the user identity. So you can validate if that user has access to the given resource.
Scenario 2
You can define users with certain role claim(eg Role:IdentityManagerAdministrator) in your user store, and validate if the logged in user has that role in identityManager. see Secure IdentityManager with IdentityServer3
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.