Search code examples
identityserver4google-authenticationclaims-based-identityuser-rolesapi-authorization

IdentityServer4: How to set a role for Google user?

I have 3 applications:

  • An IdentityServer4 API which provides Google authentication and also provides an access token to authorize the resource API.
  • A simple Resource API which provides some data from DB.
  • A simple Client in React which have 4 buttons:
    • Login, for Google auth
    • Logout
    • Get data - a simple request with the access token to the Resource API and gets the data from Db
    • Get user data - returns user profile and token (for debug purpose)

I didn't put any sample code because my problem is not code related, it's knowledge that I'm missing and I ask for guidance.

The workflow is working just fine: the user press the Login button, it is redirected to IdentityServer4 API for Google Auth. From there it is redirected to a Callback Page from the Client and from there to the Index page. I receive the user data and the token, I can request data from the Resource API and it's working.

My problem is: How do I give a Role to the Google Users ? I don't have users saved in DB. I want three types of Users: SuperAdmin, Admin, Viewer and each of these roles have limited Endpoints which can access.

For limiting their access I saw that I can use Claims-based authorization or Role-based authorization.

So, my question is how ca I give a Google User who wants to login in my app, a specific Claim/Role ? What is the workflow ? I must save it first in DB ? Or there exists a service from Google where I can add an email address and select a Role for that address ?

Thank you very much !

Solution

  • After you get the response from Google in your callback you can handle the user and do what ever you want to do with it. Below are the some typical tasks that you can do in callback that I took from documentation page of identityserver4 link:

    Handling the callback and signing in the user

    On the callback page your typical tasks are:

    • inspect the identity returned by the external provider.
    • make a decision how you want to deal with that user. This might be different based on the fact if this is a new user or a returning user.
    • new users might need additional steps and UI before they are allowed in.
    • probably create a new internal user account that is linked to the external provider.
    • store the external claims that you want to keep.
    • delete the temporary cookie
    • sign-in the user

    What I would do is creating an new internal user account that is linked to the external provider and add a role to that user.

    If you don't want to save users in db, you can add an extra claim to user in callback method and use that claim in token. and i think this link will help with that.