Is it possible to have authentication through IdentityServer4 and authorization in the API, separately?
I recently asked a question in stackoverflow in English, but I may have expressed myself badly and did not get the answer I wanted. Link in English .
I have 3 different applications: IdentityServerwhich is my identity provider; teaching.MVC which is the frontend in Asp.net mvc; and teaching.Api . The latter is the Api itself. The process of authentication, definition of claims, scopes and everything else is ready and working. It happens what: in the Api I need to define Api-specific Claims. For example:
IdentityServer : authenticates the user and makes access_token available to ensure Mvc access to the Api. This token contains the claims of profile, Email, user Id and everything that refers to the user. This application has access to the identity database only.
Teaching.Mvc : logs in through IdentityServer and saves access_token for Api access. This whole process is described in the IdentityServer4 documentation.
Teaching.Api : here is the key to the question. The token that the api receives contains the claims referring to the user: Id, profile, email... But the Api needs to restrict certain users ' access to certain resources. The Api only has access to the application database, and does not have access to the identity database. So in the Api, through the user Id, I search if he has registered schools. If it has, I should assign to him the Claim "Director". This same user can also be a student, so I look in the database if he has "enrollments". If you have, I assign you the "student" Claim. However I have no idea how I do this at the Api level.
Summary: according to the claims received in the Api by the access-token, I have to generate new claims, which are specifically from the Api, and save them so that they can be accessed by the context and validate the Policies. This all in Api.
If anyone knows a better way to do this access control, suggestions are always welcome.
2 answers
I believe that the Identity Server should have only what the user needs, any other information that is only from the application you should add in the Claims as soon as the token is validated.
For this you can use the instance of JwtBearerEvents.
Why in this way? Why you can apply your identity server to several other applications that won't always have the same user data.
Looking at the responsibilities and the proposal itself of IdentityServer4, as well as the understanding I had, the teaching application.Api (acts as Resource Provider ) is responsible for providing a resource that the teaching application.Mvc (acts as Client) wants to access.
Based on this understanding, it is not the responsibility of teaching.Api generate access Claims for the user, but instead validate the token and then return the resource requested by the application Education.Mvc.
A solution would be: when logging in to teaching.Mvc using IdentityServer4, in IdentityServer4 itself before you generate the JWT, check (creating an implementation of IProfileService for example) the list of Claims (user object.And perform your desired logic with the values (search if he has registered schools, if he has, I must assign him to Claim "Director", search the database if the user has "enrollments" and if he has, I I assign the claim "student", etc...).
That is, in your IdentityServer4 Authenticator you will already generate the JWT with the desired Claims instead of adding Claims in other applications.