Search code examples
asp.net-web-apioauthopenididentityserver3

IdentityServer3 Sync users with client app

I have the following setup:

  • IdenetityServer3 for auth (OAUth / OpenID)
  • ASP.NET WebApi back end
  • Ember-cli UI

I have the auth flow working nicely - I haven't managed to get the admin UI working yet but I can prepopulate users, scopes and clients so that's fine.

When the user auths against IdentityServer3 they are redirected back to the UI and the UI uses the oidc-client to retrieve the users info from the JWT - the client also uses the bearer token to send to the API to auth requests - all good.

My problem is that the IddentityServer is in charge of authentication / authorization - but the API doesn't yet have any notion of a user - but it needs that.

What is the best way of syncing user info between IdentityServer and my API? How can I best manage things like roles and user hierarchy? Is there a way for the API to query IdentityServer for this? It seems silly holding a copy of the user info locally to the API when we have an identity server that manages all of this.

Solution

  • IdentityServer exposes a UserInfo endpoint (https://identityserver.github.io/Documentation/docsv2/endpoints/userinfo.html) which you can call to retrieve additional information about a user.

    However, wherever possible, try to achieve what you need to by passing a token that has the relevant amount of claims so that you can make AuthZ decisions without requiring a call to Identity Server. This reduces coupling, and means you have less outbound calls from your API.

    E.g. When you sign in, a JWT token could be created that contains the roles the user is a member of plus the users unique id (sub claim)

    {
  "iss": "https://my.api.com/trust",
  "aud": "https://my.api.com",
  "exp": 1512748805,
  "nbf": 1481212805,
  "scope": "openid",
  "sub": "83b0451a718b4d54b930d6fe9cb7b442",
  "idp": "site",
  "roles": [
    "role1",
    "role2"
  ]
}

    Your API can now just check the claims presented to it and say 'To call this API endpoint, the token presented to me must have role2 in the roles claim'.

    You can also do this with the scopes, using the scope attribute

    A well designed JWT token will contain the right amount of information to make AuthZ decisions without requiring lots of additional calls, whilst keeping the overall size of the token as small as possible - remember, it's included on every request.