How to authorize different roles on a .Net 5 OAuth API
I have an IdentityServer4 application, a client application and a .Net 5 API. I want the client application to be able to talk to my API on the users behalf with an access token. Some users should be able to do admin requests while others should only be able to do normal user tasks.
I believe I need to add two scopes for these, api.admin and api.normal.
First question is where would I add these scopes in identityserver? Does the client request both scopes and just gets back whatever IS decides is right for that user?
Secondly, how do I validate what scopes are in the access token on my API. Method 1 should only be used if the access token contains the api.admin scope for eg.
Thanks!
First, scopes are something you typically hard-code in your client and it does not "vary" between users. It main purpose is to indicate what the "client" application want to have access to, not the user.
So you only need only one scope like "api".
Then you have different roles or claims in the access-token that describe what the authenticated user have access to.
You then use the authorization middleware in the API to determine what the user actually have access to.
Like what the picture below shows:
- Interact with the Virtualize component
- Cannot resolve scoped service 'xx.IEnumerable`1[xx.IDbContextOptionsConfiguration`1[xx.ExampleDbContext]]...' after upgrading from .NET 8 to .NET 9
- How i can add endpoint (or сatch a request and check its path) to BCL?
- How does the "Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" package resolves types which are in "Microsoft.AspNetCore.dll"?
- Customize output Serilog
- Unhandled exception. System.InvalidOperationException
- Is it possible to use ASP.NET Core within an F# fsx script?
- How to send data with the size more than Signalr message size limit in Blazor?
- IDX12723: Unable to decode the payload '[PII of type 'System.String' is hidden
- UpdateRange method of Entity Framework Core does not work
- How to enable CORS in ASP.net Core WebAPI
- Why does my CORS configuration still block datatables from consuming an API?
- .NET return JSON without reformating
- .NET 8 & SQL Server 2016 - Contains() throws error
- Multiple many-to-many and multiple one-to-one relationships in the same entities
- Unable to Select Custom User Class in Identity Scaffolding
- How to redirect to an ASP.NET Core Razor Page without using routes
- Username is already taken when actually it is not ASP.NET Core
- Cancellation Token Injection
- How to log using serilog to elasticsearch with Elastic.Serilog.Sinks in .net application
- Invoking SignalR from Postman
- How does the Form Tag Helper determine the rendered form action?
- How can I get a list of registered middleware in ASP.NET Core?
- Why does my ASP.NET Core 5 Razor Page return a 404 on IIS, but not in Visual Studio?
- Add Username into Serilog
- Serilog logging to different tables
- VS 2022 ASP.Net Core MVC Simple Bootstrap Menu Not Working
- SignalR does not send anything to clients in BackgroundService/StopAsync
- ASP.NET Core website visitor statistics counter
- Return url functionality