I've an api and a webfrontend on which the user gets authenticated with identityServer.
Now I can introduce scopes like "customer" to get the according claim on the web project.
Now I want to have a user to have claims on specific customers. Is this something I would do inside the identityserver? I can't find an api to post new claims for a user.
or would I have a claims store in my application and then enrich the created principal with these claims?
As a rule of thumb - authorization is done as close as possible to the resource you are trying to protect - e.g. in the API endpoint.
IdentityServer is authentication/identity as a service - not permissions or authorization.