You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Sep 18, 2021. It is now read-only.
We have a situation where we "own" all facets of the authentication stack: the resources (APIs), the client store, and identity server. We maintain a custom WPF client where we would like to point to these APIs and impersonate the operating user. We look to the WPF ambient context to provide the current user's name and are making a conscious decision to trust that username. We are also consciously considering the WPF app to be a confidential client. The basic requirements here are that the API has reasonable certainty of the identity of both the acting user and the client. I see two methods to do this:
Use the Resource Owner Password Credentials flow and:
Pass a dummy password for the user
Check on the IdentityServer side (I assume in AuthenticateLocalAsync or PreAuthenticateAsync) that the specific client is permitted to impersonate the given user
Add a custom claim to identify the client (which I don't think is normally a part of the access token here, correct?)
Use the Client Credentials flow and:
Use additionalValues in OAuth2Client.RequestClientCredentialsAsync() to include an "impersonate:username" key/value pair.
Use a custom IClaimsProvider
Examine the ValidatedRequest.Raw values and, if the "impersonate" pair is there, validate that the client is permitted to impersonate the given user and add the claim to the outgoing claims.
Is one approach better than the other? Or are we approaching this completely wrong?
The text was updated successfully, but these errors were encountered:
We have a situation where we "own" all facets of the authentication stack: the resources (APIs), the client store, and identity server. We maintain a custom WPF client where we would like to point to these APIs and impersonate the operating user. We look to the WPF ambient context to provide the current user's name and are making a conscious decision to trust that username. We are also consciously considering the WPF app to be a confidential client. The basic requirements here are that the API has reasonable certainty of the identity of both the acting user and the client. I see two methods to do this:
AuthenticateLocalAsync
orPreAuthenticateAsync
) that the specific client is permitted to impersonate the given useradditionalValues
inOAuth2Client.RequestClientCredentialsAsync()
to include an "impersonate:username" key/value pair.IClaimsProvider
ValidatedRequest.Raw
values and, if the "impersonate" pair is there, validate that the client is permitted to impersonate the given user and add the claim to the outgoing claims.Is one approach better than the other? Or are we approaching this completely wrong?
The text was updated successfully, but these errors were encountered: