Skip to content
This repository has been archived by the owner on Sep 18, 2021. It is now read-only.

Requesting token with optional roles #1065

Closed
LorryMoller opened this issue Mar 11, 2015 · 4 comments
Closed

Requesting token with optional roles #1065

LorryMoller opened this issue Mar 11, 2015 · 4 comments
Labels

Comments

@LorryMoller
Copy link

I have:

  • rest API server called by an untrusted client app
  • end users can have role1, role2, or both, which would control which API functions are accessible

Rather than asking for both 'role1' and 'role2' claims (will fail for users that only have one) can the client app ask for a token with all role claims?

I tried the Scopes and Claims example code for 'role identity scope' but it returns a claim with a value of "roles" rather than a type of 'roles':

"client_id": "MyClient",
"scope": [
"MyAdminApiScope",
"roles"
],
"sub": "20338afc-3e0b-447e-813b-5ba6aa81eda3",
...

Various combinations of 'role' and 'roles' (such as StandardScopes.Roles) always seem to give me that. So I'm not sure what this is used for - is it to get an access token that can get roles from the UserInfo endpoint?

If I use the IncludeAllClaimsForUser flag for that app I get the role information in the access token how I want:

"role": [
"RoleCustomerAdmin",
"RoleVendorAdmin"
],

but also other claim information that I may not want the untrusted client app to have.

I think my options are (Can anyone confirm?):
a) stateless API server asks the userinfo endpoint for roles during each api call (poor performance)
b) client app asks for one token per role/claim (multiple signins?)
c) customize identity server, similar to issue 147 (requires internal knowledge of idsrv3 so could break in a future release?)
d) something I'm missing about the example that will give me what I want

I would think my case would be a very common way of using roles, so hopefully it is option d... if it is c, that would be a good feature to add.

@johnkors
Copy link
Contributor

I tried the Scopes and Claims example code for 'role identity scope' but it returns a claim with a value of "roles" rather than a type of 'roles':

"client_id": "MyClient",
"scope": [
"MyAdminApiScope",
"roles"
]

Here you're confusing scopes with claims. "roles" is the name of the scope, and is defined in a scopes js array in the jwt. The same access token includes this list of scopes, as well as the corresponding claims for those scopes depending on how you configure your scopes and claims (IncludeAllClaimsForUser, IdentityScope/ResourceScope) and how you retrieve your accesstokens (same roundtrip as the id_token or via the backchannel later on at the RP).

I would always ask idsrv for the role scope at the client, and then populate that in your IUserService impl (GetProfileDataAsync).

You can read more about scopes and claims in the docs: http://identityserver.github.io/Documentation/docs/configuration/scopesAndClaims.html

When it comes to restricting scope access pr client, there is a setting on the client called scoperestrictions. It's default is allow all.

@LorryMoller
Copy link
Author

Thanks for the quick reply! I was already using the code you link to (I have the same link in my question).

I was expecting that asking for the 'roles' scope would return that scope (it did) and also return each of the users 'role' claims (it did not, unless I use IncludeAllClaimsForUser).

Thanks to your note about IdentityScope/ResourceScope, I got it working with my setup by changing to Scope.Resource rather than Scope.Identity.Still investigating as I'm fuzzy on the distinction but now it returns all of the users Roles.

var roleScope = new Scope
{
Name = "roles",
DisplayName = "Roles",
Description = "Your organizational roles",
Type = Scope.Resource, //changed from the example - ScopeType.Identity,

Claims = new List<ScopeClaim>
{
    new ScopeClaim(Constants.ClaimTypes.Role, alwaysInclude: true)
}

};

Thanks!

@nadavten
Copy link

nadavten commented Jan 5, 2017

sorry for the ignorance ... what is the rest request i should create to get the system rolls ?

@johnkors
Copy link
Contributor

johnkors commented Jan 6, 2017

It depends on your client flow/setup, but one might use the /userinfo endpoint (using an accesstoken with the role scope) for that.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

4 participants