Geek Answers Handbook

IdentityServer 3 + Identification Asp.net: Areas, Claims and Clients - Clarifications

I am almost figuring out how the different parts of the authentication and authorization server architecture work. I really believe IdentityServer is great software.

I try to generalize my discoveries in order to substantiate my questions.

  • IdentityServer issues tokens using OpenID Connect. Tokens issued are identifiers and access tokens.
  • Tokens are required - as specified in the OpenID Connect protocol - for clients using OAuth 2.0 streams. One thread for each client.
  • At the start of the stream, the client requests a collection of areas (at least "openid"), because it must indicate that the OpenID Connect stream is activated)
  • The client can request all areas for which he is authorized to ask. Using the Entity Framework plugin for IdentityServer, this information is contained in the ClientScope table. If the client requests an area that it does not have the right to request, the flow is interrupted.
  • Areas may contain "claims." This means that if the region contains a group of claims, whenever a token is issued to the client, this token also contains all the relevant claims of the user. For example: let the "containing" application call the "roles" area. As soon as the client is authorized, the received token will contain all user roles (as statements).
  • Each requested area, if allowed, is “translated” into the claim with the name “scope”. This means that if a client requests, for example, a specific area of ​​"api", the generated identity will have at least a requirement called "area" with the value "api".

If everything that I wrote is more or less correct, here are my questions:

  • as the requirements defined in asp.net identity tables (for example, AspNetUserClaims) connected to IdentityServer. For what I saw, matching is done by name. Is this conclusion correct? In other words, if my client needs to receive “role” claims (because he asked for “scope”), will the “Asp.Net Identity” plugin for IdentityServer just release the “role” claims specific to the authenticated user?
  • referring to EntityFramework plugin tables, what is the value of the ClientClaims table? I can’t understand how claims can be directly related to the client ... What am I missing?

  • Suppose on my resource server I have an action protected by the ResourceAuthorize attribute as follows:

    [ResourceAuthorize ("Reading", "Orders")]

    In my AuthorizationManager, I check for an order_read claim or an api claim. These are two different areas defined in my AuthorizationServer, one for “reading an order” and the last for full API access. The former can be set by third-party clients, while the latter cannot. Is this a good practice?

  • I cannot understand what my client should do with id_token. Should I ignore the problem as I am using the OIDC Token Manager js library? Are the security controls implemented by this library?

  • Last question: when my application presents an access token, how is ClaimsIdentity generated? Is it possible to say that it was generated after checking the token on the Identity Server? Does this mean that IdentityServer will receive an access token and translate it into a set of requirements?

Thanks for your clarification!

Marco

+8
entity-framework identityserver3 asp.net-identity-2
source share
1 answer

Yes, you have a point. Regarding your questions:

as declared in asp.net identifier tables

This is for you. IdentityServer does not provide an identity management library. The IUserService extensibility IUserService is where you bridge this gap. We have a IUserService version of IUserService , but it is code-based NuGet, so you can change it to really do what you need.

I can’t understand what my client should do with id_token

It is mainly used to switch to IdentityServer during checkout (to authenticate a request for withdrawal).

when my application presents an access token, how is the ClaimsIdentity property generated

To check the access token, there is middleware (AccessTokenValidation). The result is that the claim generates a token, which then turns into a ClaimsIdentity , and then becomes available for any subsequent processing (for example, your web API code).

what's the value of the "ClientClaims" table

The Client configuration has the Claims property if you want to make claims on behalf of the client. Check out the docs: https://identityserver.imtqy.com/Documentation/docsv2/configuration/clients.html

suppose on my resource server I have an action protected by a ResourceAuthorize attribute like this

This does not apply to IdentityServer and is part of the IdentityModel library. ResourceAuthorize is the basis for using the user, resource, and action taken into account when trying to decide the outcome of the authorization.

+6
source share

More articles:


All Articles