Reputation: 30747
Separating Authorization store from Authentication store in IdentityServer
Looking to implement IdentityServer to provide our systems with SSO.
All users, both internal to the organization and external would be stored in Active Directory. We would then use IdentityServer to authenticate against AD.
What we are looking to do is create buckets of claims for a user. So a user can have different values for their claims.
E.G
A development bucket may have the claim "My.Claim.Name" with a value of "Bob" and a production bucket may have the claim "My.Claim.name" with a value of "John"
Active directory isn't, as far as i am aware, able to silo attributes in this fashion so i would need to build this custom functionality into a Database that IdentityServer will access.
So that brings me to the question.
Is it possible to authenticate a user against one storage mechanism, but retrieve the claims for that user from another store? Essentially separating the user and their claims.
If so, can someone please point me in the direction of what interfaces may need to be implemented to make this happen?
Upvotes: 2
Views: 724
Answers (1)
Reputation: 2315
IdentityServer implements the openid connect spec, which means only identity. Authorization should not be mixed with identity, ref this blog post by the authors https://leastprivilege.com/2016/12/16/identity-vs-permissions/
Authorization should be checked by each application (e.g. a user in API1 has access to these resource, the same user in API2 has access to other resources). This basically means that once authenticated, each application needs to get user authorization from a separate source (i.e your authorization store).
BUT, to answer your question, you should implement the IProfileService interface http://docs.identityserver.io/en/release/reference/profileservice.html?highlight=iprofileservice. This interface gets called when the user identity is created, letting you fill out claims based on requested scopes. Here you can fetch claims from your separate authorization database.
Note that this is considered not best practice, and the IdentityServer team has said they will come up with a proper Authorization solution some time soon.
Upvotes: 2
Related Questions
- Right architecture for Authentication and Authorization with IdentityServer4
- IdentityServer4 Role Based Authorization on multiple roles
- Could set two authentications for one Api ? Identity server4
- Securing multiple Apis using identityserver4
- Identityserver4 and Api Resource in same Asp.net Application
- IdentityServer4 Asp.Net Core Identity with custom store
- IdentityServer4 Multiple API access, single token
- IdentityServer4 multiple user types
- Identity Server 4 with multiple user stores
- Asp.Net Core / IdentityServer Complex Authorization