Search code examples
c#asp.net-coreasp.net-web-apiasp.net-identityidentityserver4

IdentityServer4 How do roles behave?

I'm trying to setup an IdentityServer 4 asp.net core application. I'm following this tutorial: Getting started with IdentityServer4

I configured all the test collections in the Startup class, I start the application and i login as one of the test users i have configured.

Client:

new Client()
{
    ClientId = "teacup.Showroom",
    ClientName = "teacup showroom client",
    AllowedGrantTypes = GrantTypes.ClientCredentials,
    ClientSecrets = new List<Secret>()
    {
        new Secret(("super.secret.key".Sha256()))
    },
    AllowedScopes = new List<string>
    {
        { "teacup.Authenticate" },
        { "teacup.Register" }
    }
}

Identity resources:

new List<IdentityResource> {
    new IdentityResources.OpenId(),
    new IdentityResources.Profile(),
    new IdentityResources.Email(),
    new IdentityResource {
        Name = "customer",
        UserClaims = new List<string> {"customer"}
    }
};

API resource:

new ApiResource {
    Name = "teacup",
    DisplayName = "teacup API",
    Description = "teacup API Access",
    UserClaims = new List<string> {"customer"},
    ApiSecrets = new List<Secret> {new Secret("scopeSecret".Sha256())},
    Scopes = new List<Scope> {
        new Scope("teacup.Authenticate"),
        new Scope("teacup.Register")
        }
    }
};

This is the test user i'm loggin in with:

new TestUser {
    SubjectId = "5BE86359-073C-434B-AD2D-A3932222DABE",
    Username = "small",
    Password = "th",
    Claims = new List<Claim> {
        new Claim(JwtClaimTypes.Email, "[email protected]"),
        new Claim(JwtClaimTypes.Role, "customer")
        },
}

When i try to log in, the server responds with success. But telling me that the user has no access permission over any of my resources. Can you tell me why?

enter image description here

Solution

  • You don't have any applications (aka clients) that are using OAuth flows that involve users. Your only client teacup.Showroom is using GrantTypes.ClientCredentials which is designed specifically to work outside of user context so naturally there is no way for your user to grant access to any applications as there are no eligible applications to begin with.

    You should check the Identity Server 4 Samples and in particular, you can start with samples for Implicit Flow which will involve user logging in and giving consent for the application (client) and therefore will also appear in the "Client Application Access" view afterwards.