-
-
Notifications
You must be signed in to change notification settings - Fork 764
Requesting token with optional roles #1065
Comments
Here you're confusing scopes with claims. "roles" is the name of the scope, and is defined in a scopes js array in the jwt. The same access token includes this list of scopes, as well as the corresponding claims for those scopes depending on how you configure your scopes and claims (IncludeAllClaimsForUser, IdentityScope/ResourceScope) and how you retrieve your accesstokens (same roundtrip as the id_token or via the backchannel later on at the RP). I would always ask idsrv for the role scope at the client, and then populate that in your IUserService impl (GetProfileDataAsync). You can read more about scopes and claims in the docs: http://identityserver.github.io/Documentation/docs/configuration/scopesAndClaims.html When it comes to restricting scope access pr client, there is a setting on the client called scoperestrictions. It's default is allow all. |
Thanks for the quick reply! I was already using the code you link to (I have the same link in my question). I was expecting that asking for the 'roles' scope would return that scope (it did) and also return each of the users 'role' claims (it did not, unless I use IncludeAllClaimsForUser). Thanks to your note about IdentityScope/ResourceScope, I got it working with my setup by changing to Scope.Resource rather than Scope.Identity.Still investigating as I'm fuzzy on the distinction but now it returns all of the users Roles. var roleScope = new Scope
}; Thanks! |
sorry for the ignorance ... what is the rest request i should create to get the system rolls ? |
It depends on your client flow/setup, but one might use the |
I have:
Rather than asking for both 'role1' and 'role2' claims (will fail for users that only have one) can the client app ask for a token with all role claims?
I tried the Scopes and Claims example code for 'role identity scope' but it returns a claim with a value of "roles" rather than a type of 'roles':
"client_id": "MyClient",
"scope": [
"MyAdminApiScope",
"roles"
],
"sub": "20338afc-3e0b-447e-813b-5ba6aa81eda3",
...
Various combinations of 'role' and 'roles' (such as StandardScopes.Roles) always seem to give me that. So I'm not sure what this is used for - is it to get an access token that can get roles from the UserInfo endpoint?
If I use the IncludeAllClaimsForUser flag for that app I get the role information in the access token how I want:
"role": [
"RoleCustomerAdmin",
"RoleVendorAdmin"
],
but also other claim information that I may not want the untrusted client app to have.
I think my options are (Can anyone confirm?):
a) stateless API server asks the userinfo endpoint for roles during each api call (poor performance)
b) client app asks for one token per role/claim (multiple signins?)
c) customize identity server, similar to issue 147 (requires internal knowledge of idsrv3 so could break in a future release?)
d) something I'm missing about the example that will give me what I want
I would think my case would be a very common way of using roles, so hopefully it is option d... if it is c, that would be a good feature to add.
The text was updated successfully, but these errors were encountered: