We need to make a central auth server for multiple applications that we build, while still having roles and claims which are specific to that particular application. Let me explain with an analogy using various services by Microsoft.
I sign up for a Microsoft account and hence my authentication info is stored in a central server. Now i login using the account and assume a fresh start i land up at account.microsoft.com, now i go to msdn click on sign in, it takes me to the login page on auth server then to the consent screen and back to msdn logged in, now i go to xbox and does the same thing. Now MDSN and XBOX are two completely different applications with each having it's own Api, web apps and mobile apps, but using the same auth server.
Till now i have been making independent applications using Identity Framework, and am reasonably comfortable with it, but this is comparatively much more complex than what i have done till now. I was looking through IdentityServer4 to have a central auth server and has completed all the tutorials present on the official doc site, so i have a basic idea of the concepts.
What i need is to have each application be able to specify it's own set of roles and claims without even having any kind of knowledge about other applications, and also the central server will be having external authentications enabled, hence ASP.NET Core Identity in central server.
Current Architecture
Things i am able to achieve till now
Alternate solutions that i came up in my mind
These stack overflow questions gets the most closest but are not the exact solution
Any guidance that takes me in the right direction will help
EDIT #1 : It seems like someone has flagged this questions as off-topic, so just want to clarify that i am looking for a specific code/solution using identity server 4 and asp.net core identity and not some recommendation, though any guidance apart from the answer is welcome for better clarifications and understanding, but just the code would suffice, and i feel that it's as per the guidelines of the community.
EDIT #2 I tried doing authorization on client side as suggested by @travis.js but i am unable to understand how do i implement the claims on client side something like [Authorize(Roles="Admin")]
答案 0 :(得分:2)
我认为您的替代解决方案是"对"之一。
解决您的疑虑:
过多地努力连接auth逻辑,因为它必须首先得到 来自中央服务器的身份然后从中获取声明 应用程序特定的数据库
听起来对我来说恰到好处的努力。中央服务器进行身份验证,每个应用程序都有自己的授权。
我不确定如何在客户端使用asp.net身份进行操作
您在客户端/应用程序端并不真正需要ASP.NET身份。身份由中央服务器处理。
中央auth服务器上的未使用的表
非问题。但是你仍然可以在更宏观的层面上将该表用于其预期目的。
跨应用程序复制auth逻辑
这听起来不像是重复的逻辑。中央服务器执行身份/身份验证,每个应用程序负责确定自己的授权逻辑。