Understanding requirements

Question

Understanding requirements

I am trying to speed up work with OpenId Connect, OAuth2.0, the security token service and claims. Imagine a scenario with a large website with many areas and various features, for example. Customer, order, supplier, delivery, return, etc. My question is this: can I create claims on the token server such as CanCreateCustomer, CanReadCustomer, CanUpdateCustomer, CanDeleteCustomer, etc., T. e. Effectively CRUD Claims for each main area / business object? This would lead to many dozens, but rather hundreds of claims. Or is my understanding inappropriate?

+4

oauth-2.0 claims-based-identity identityserver3 openid-connect

David May 06 '16 at 8:40

source share

3 answers

Pieter ennes · Answer 1 · 2016-05-06T10:29:41+0000

I think your understanding is basically correct. However, if I understand what you are describing correctly, it is more likely authorization (OAuth) than an authentication problem (OIDC), and therefore you can take a look at how other OAuth resource providers define their domains (not btw claims) like GitHub or slack .

Ramesh Lingappa · Answer 2 · 2016-05-07T04:19:23+0000

Your understanding is correct, but you have much more flexibility in OAuth2.0 areas (claims)

These areas can be configured in any way, for example, in your case, instead of creating separate areas for each CRUD operation for each main area, you can create group areas, such as

customer.read_write
order.read_write

Etc, , ,

webportal.full_access
adminportal.full_access

, ,

ValidScopesIn({Scopes.WEBPORTAL_FULL_ACCESS, Scopes.CUSTOMER_READ_WRITE})
public void createCustomer(Customer customer) {
// your creation logic 
}

jwilleke · Answer 3 · 2016-05-08T12:27:23+0000

I would recommend that "areas" be configured as URIs so that no collisions occur.

As an example .

-Jeet

Understanding requirements

More articles: