stackoom
  简体   繁体   中英

Getting all the claims from a WebApi for a user in Identity Server 4

 原文  2019-09-03 23:12:49       c#/ asp.net-core/ asp.net-web-api/ .net-core/ identityserver4

Question

I've gone through the examples of Ids4 specifically the client-webapi scenario.

https://github.com/IdentityServer/IdentityServer4/tree/master/samples/Clients

The example mostly illustrate how the client gets the access token, sends the acess token to the WebAPI and the WebAPI doing a check based on policy like scope or claim.

My scenario has the following constraints.

  • The access token contains minimal information. Meaning I don't put all of the information which are mostly sensitive in it.
  • The WebAPI requires those claims for the policy (not just scope) because the claim will be specific to a user, not the client application.

Example 

options.AddPolicy("User", policy =>
{
    policy.RequireClaim("ProfileAccess","user:read");
});
options.AddPolicy("Admin", policy =>
{
    policy.RequireClaim("ProfileAccess", "user:read", "user:write");
});

In an MVC client, OpenId Connect configuration has an option GetClaimsFromUserInfoEndpoint which calls the UserInfo endpoint using the token and turns those claims into claims for the principal. Is there something similar for WebAPI or do I have to implement it myself? I don't want to include too much information in the access token either.

2 answers

solution1
 2 ACCPTED  2019-09-04 06:41:03

The simplest ways is to include the needed claim in access token when Identity Server issues access token . So that API will get the claims after validating the token and you can create policy requirement to check the claim . You can define the API resources to include the user claim . See defining API resources :

http://docs.identityserver.io/en/latest/reference/api_resource.html#refapiresource

You can find there's a UserClaims property on the ApiResource (and Scope) to add list of associated user claim types that should be included in the access token.

GetClaimsFromUserInfoEndpoint is not designed for APIs , see this article for more details .

If you don't want to inlcude the claim in tokens , you can use delegation fow to acquire new access token to get the user's information .

solution2
 1  2019-09-04 07:35:14

It looks, what you need is a kind of Extension grant , namely delegation .

You want to give your API more access, than your client has, but you can't use just ClientCredentials flow or grant as it doesn't carry user information. That's exactly the case where delegation could help: you bring your API a token with the sub (userId) claim only, and API requests a totally new token, providing it's own credentials together with the original token.

Answering the original question: despite of it's technically possible to use the original token, coming to the API with a request from the client, it does not improve the security: if your Client is JS-app and it keeps the original token in Session or Local storage in browser, everyone can get that token and call UserInfo endpoint from curl or postman .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question identity server 4 does not show all user claims Custom claims with SPA, WEBAPI and Identity Server 4 using oidc? Identity Server 4 add custom claims to User Access User.Identity and Claims from Outside User's Claims Identity Getting claims in identity server using resource owner password Identity Server 4 Adding claims after authentication from a UI Getting the User.Identity during service Resolution in Autofac and WebAPI 2 Owin Identity Server Windows Authentication Claims Role based claims in Identity Server 3 + AspNet Identity
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM