Asp.Net Core / IdentityServer Complex Authorization

Question

For the project I am working on, I need to create two separate (but not totally unrelated) applications with a common identity server. I picked IdentityServer4 for that purpose and it works well for me.

However, I need to be able to assign the users to multiple companies/projects (yes, it is a real life case) and possibly to different roles in each of them. However, I wasn't able to design the claims structure for that.

I see two approaches that could solve this problem;

1. Create a complex claim for each company/project which will contain companyId and the user's role in that company. Which could be in JSON form or a custom string like companyGUID_roleClaim However, when I did a small research about it, I realized there are many people who don't think it is the right approach since they believe the claims should be simple key-value pairs.

2. Let the applications connect/query the Identity database to retrieve the companies/projects and roles associated with the active user and protect resources using policies based on those data.

Maybe I am looking at it from a wrong side or one of those two is acceptable. Or there is another solution. Can you please help me find a solution to this problem?

Answer 1

If you're going to use the first approach you might run into some problems. The roles that you specify in your claim might have a different meaning in your two, not totally unrelated, applications.

Claims represent the user's identity, not what he/she is allowed access to.

You could write an authorization service that will provide the required authorization data from the database. Than you can authorize in the two applications by writing an authorization policy. You can protect your resources by decoarting them with [Authorize(Policy="MyPolicy"].

leastprivilege wrote a nice blog about it and why you shouldn't use claims for permissions: https://leastprivilege.com/2016/12/16/identity-vs-permissions/