IdentityServer4: How do you check if access token has permission for a given access token?
Question
Just like stripe account, a user (person) has access permission to 1 or more accounts (business accounts).
Example
- User Alice has full read and write permission for business X, Y, Z.
- User Bob has read access to business X only.
Bob with account access_token_b wants to update account profile via API.
Using IdentityServer4 , How do you verify bob's account access_token_b has permission to update account profile via the API controller?
1 answers
solution1
0 2017-06-25 00:47:26
You need to use your own API for managing accounts. Identity Server(open-id connect) api's are not meant to modify(manage) accounts. They are just dealing with the authentication part of the puzzle. You should use a library like aspnet Identity for storing and modifying users. There are also tools like IdentityManager which contain a UI for user management.
So after creating your account management API(or using a tool like IdentityManager), you need to validate the incoming access token and then check the claims inside the token to see what permissions the token owner is granted. Based on that, you need to authorize the user to modify only the accounts he has access to. Then use a user management library(most cases asp.net identity) to update the accounts.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.