Identityserver4: Security question: allow users to manage their account

Created on 17 May 2017  路  7Comments  路  Source: IdentityServer/IdentityServer4

I followed the tutorial for having an Identits Server storing Users with ASP.NET Identity and accessing it with an MVC client. I would like the users to be able to manage their account. The most basic way was to set on the MVC client a Manage button doing a redirect to the Manage controller in IS4
MVC client

 [Authorize]
        public IActionResult Manage()
        {
            ViewData["Message"] = "Secure page.";

            return Redirect("http://localhost:5000/Manage"); //Goto IS4 ASP.NET Identity
        }

And on the Manage page of IS4/ASP.NET identity I add a button which redirects back to the client

<a href="http://localhost:5002/">Done</a>

Is that a correct practice security wise?
Thanks

question
Source
picture Ponant

All 7 comments

Nothing wrong with that (from a security point of view) - what are your concerns?

leastprivilege picture leastprivilege on 18 May 2017

there are values that the user should be allowed to modify and others that only an admin should be allowed to access. So you probably need two pages with different [Authorize] tags. Some detail I found useful here https://wiki.idesg.org/wiki/index.php?title=Best_Practices_and_Example_for_RP_System

TomCJones picture TomCJones on 18 May 2017
👍1

@leastprivilege , I was wondering if there is no need to get a token and/or build something like a BuildManageViewModelAsyncbefore being allowed to go to the Manage controller, in the same way as we do for the login. So, if I understand well, the only place in the AccountControllerin the IS4 project where there is a cross talk with my MVC client is in the Login and Logout method (which is indeed where you use an AccountService _account). Is that correct?

Ponant picture Ponant on 18 May 2017

Thanks @TomCJones , I will look into that, it sounds interesting.

Ponant picture Ponant on 18 May 2017

I don't follow - you want the use to be able to manage its data - then redirect him to the manage page - this page of course only allows already authenticated users.

See the "manage grants" page in our UI - it's an example of a local page protected by the standard login page.

leastprivilege picture leastprivilege on 19 May 2017
👍1

Yes, you are right, you answered me. Thanks a lot.

Ponant picture Ponant on 19 May 2017

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock[bot] picture lock[bot] on 14 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

wangkanai picture wangkanai  路  3Comments
ekarlso picture ekarlso  路  3Comments
osmankibar picture osmankibar  路  3Comments
nukec picture nukec  路  3Comments
garymacpherson picture garymacpherson  路  3Comments