How do identityserver permissions work?

Question

Scenario 1: Assume I have angular client with implicit grant type. I am also using asp.net identity to log in with database users. I log in as user Bob. I access my list of cars. For each car I have an option to edit my car. Each row has edit button and id of car.

Example of get url in each row: http://localhost:5000/cars/id/1

Let's say I enter randomly some id of car: http://localhost:5000/cars/id/345 which is someone else's user car.

How does identity server protects other user data in this situation?

Scenario 2: let's have identity manager set up with identity server openid authentication. Which username and password are we authenticating to gain access identity manager to manage users ? If it is user from aspnet identity database then every user inside there can access identity manager...?

Answer 1

They don’t. It’s not responsibility of Identity Server. Identity server main responsibility is to take care of Authentication.

Answer 2

Scenario 1

Authorization is not part of identity server except for basic client/scope based authorization defined in OAuth. Identity server just handles the authentication part. Have a look here for implement authorization on an asp.net core app. https://learn.microsoft.com/en-us/aspnet/core/security/authorization/resourcebased

Basically, Identity server gives the user identity. So you can validate if that user has access to the given resource.

Scenario 2

You can define users with certain role claim(e.g. Role:IdentityManagerAdministrator) in your user store, and validate if the logged in user has that role in identityManager. see Secure IdentityManager with IdentityServer3