How to restrict authentication to a specific domain using IdentityServer4
Question
In the context of using IdentityServer4 to secure an ASP.NET Core MVC 2.0 client and associated API, how do I enforce domain-specific authentication restrictions?
I have worked through the IdentityServer quickstarts and have a working MVC client talking to a IdentityServer instance (apologies if using the wrong terminology). I am using External Authentication (Google) and do not have anything mildly complicated such as local logins / database etc. I am not using ASP.NET Identity. This is all working just fine.
Problem : I need to only allows users from a certain company into the application. To achieve this I will examine either their email address or the 'hd' claim from Google to examine their domain and match it to a whitelist.
- Do I implement this in the Client or the IdentityServer?
- Can anyone point me to an example of where this has been done or provide an explanation on how to implement it?
Happy to post code of current implementation if of use, only reason I haven't is that it is the same as the quickstarts linked above.
1 answers
solution1
0 ACCPTED 2017-11-06 10:35:53
I believe this logic belongs to your IdentityServer instance.
But it may exists on your application/client only if the email's domain check is required only for a single application. In this way, you may have action filter to check the claim, and you need to add hd to user claim list.
The logic of checking with the whitelist should staty on IdentityServer. You can set a flag on client to check whether system need to validate the email domain or not
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.