client specific claims identity server4 using asp.net core identity

时间:2017-08-05 10:55:54

标签: c# asp.net-mvc authentication identityserver4 asp.net-core-identity

We need to make a central auth server for multiple applications that we build, while still having roles and claims which are specific to that particular application. Let me explain with an analogy using various services by Microsoft.

I sign up for a Microsoft account and hence my authentication info is stored in a central server. Now i login using the account and assume a fresh start i land up at account.microsoft.com, now i go to msdn click on sign in, it takes me to the login page on auth server then to the consent screen and back to msdn logged in, now i go to xbox and does the same thing. Now MDSN and XBOX are two completely different applications with each having it's own Api, web apps and mobile apps, but using the same auth server.

Till now i have been making independent applications using Identity Framework, and am reasonably comfortable with it, but this is comparatively much more complex than what i have done till now. I was looking through IdentityServer4 to have a central auth server and has completed all the tutorials present on the official doc site, so i have a basic idea of the concepts.

What i need is to have each application be able to specify it's own set of roles and claims without even having any kind of knowledge about other applications, and also the central server will be having external authentications enabled, hence ASP.NET Core Identity in central server.

Current Architecture

  1. Central Identity Server (using IdentityServer4, ASP.NET Core Identity, Entity Framework)
  2. One Central DB for Central Server
  3. Multiple Applications Sets (API, MVC App, Xamarin Mobile Apps)
  4. One or more DB for each application as per need

Things i am able to achieve till now

  1. Customize an identity resource to get user claims stored in db but if i add one roles, it returns me the role repeatedly the number of times as the count of API resources and Clients

Alternate solutions that i came up in my mind

  1. Store the claims and roles in application specific DB, but i guess that i will be facing these issues
    • too much effort wiring up the auth logic, as it will have to first get the identity from central server and then get claims from the application specific DB
    • not sure how i can do it using asp.net identity on client side
    • unused table on central auth server
    • duplication of auth logic across applications

These stack overflow questions gets the most closest but are not the exact solution

Any guidance that takes me in the right direction will help

EDIT #1 : It seems like someone has flagged this questions as off-topic, so just want to clarify that i am looking for a specific code/solution using identity server 4 and asp.net core identity and not some recommendation, though any guidance apart from the answer is welcome for better clarifications and understanding, but just the code would suffice, and i feel that it's as per the guidelines of the community.

EDIT #2 I tried doing authorization on client side as suggested by @travis.js but i am unable to understand how do i implement the claims on client side something like [Authorize(Roles="Admin")]

1 个答案:

答案 0 :(得分:2)

我认为您的替代解决方案是"对"之一。

解决您的疑虑:

  

过多地努力连接auth逻辑,因为它必须首先得到   来自中央服务器的身份然后从中获取声明   应用程序特定的数据库

听起来对我来说恰到好处的努力。中央服务器进行身份验证,每个应用程序都有自己的授权。

  

我不确定如何在客户端使用asp.net身份进行操作

您在客户端/应用程序端并不真正需要ASP.NET身份。身份由中央服务器处理。

  中央auth服务器上的

未使用的表

非问题。但是你仍然可以在更宏观的层面上将该表用于其预期目的。

  

跨应用程序复制auth逻辑

这听起来不像是重复的逻辑。中央服务器执行身份/身份验证,每个应用程序负责确定自己的授权逻辑。