Identityserver4: Merge ASP.net Identity (roles) and IdentityServer 4

Created on 25 Sep 2017  Â·  12Comments  Â·  Source: IdentityServer/IdentityServer4

I want to merge my IdentityServer 4 and ASp.net Identity, because I want to use role based authentification. (Two kinds of users: Admins and Users)

I have IdentityServer with configuration in database (allowed scopes(like "api1"), allowed CLients (like a "Client name, Client secret)). Also I have asp.net Identity databasae, that consist of users, roles, connection user with role.

I had the folowing way:

  1. Create IdentityServer with In Memory users and scopes
  2. Upgrade IdentityServer to IdentityServer with users from asp.net identity
  3. Upgrade IdentityServer to IdentityServer with configuration in database
  4. Create ApplicationRole.cs, Create db migration, Apply db migration.
  5. Add some roles in DB, add connection between user and role (manually)

My ApplicationRole

 public class ApplicationRole:IdentityRole
{
    public string Description { get; set; }
    public DateTime CreateDate { get; set; }

}

ApplicationDbContext

public class ApplicationDbContext : IdentityDbContext<ApplicationUser, ApplicationRole,string>...
Part of startup.cs

services.AddIdentity<ApplicationUser, ApplicationRole>()
            .AddEntityFrameworkStores<ApplicationDbContext>()
            .AddDefaultTokenProviders();

.......

 services.AddIdentityServer()
            .AddTemporarySigningCredential()
            .AddAspNetIdentity<ApplicationUser>()
            .AddConfigurationStore(builder =>
                builder.UseSqlServer(connectionString, options =>
                    options.MigrationsAssembly(migrationsAssembly)))
            .AddOperationalStore(builder =>
                builder.UseSqlServer(connectionString, options =>
                    options.MigrationsAssembly(migrationsAssembly)));

API project with Startup Configuration


 app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
        {
            Authority = "http://localhost:5000",
            RequiredScopes = new[] { "api1" }
        });

How I can use roles from asp.net identity?

question
Source
picture AlexGnatuyk

Most helpful comment

@AlexGnatuyk
On the server side:

  1. add identity resource role
  2. add role in scopes of your designated client

On the client side:

  1. when configure OpenId Connect middleware, remember put role in the scope list

PS: microsoft configure the key of role claim use their own namesapce key instead of the standard key value. You need configure TakenValidationParameters property to match the value. Or you can implement IProfileService on the server to override the claim list.

picture singlewind on 28 Sep 2017
👍2

All 12 comments

You should read our quickstarts on ASP.NET Identity.

brockallen picture brockallen on 26 Sep 2017

@AlexGnatuyk asp.net identity roles will become role claims. Only thing you have to do is just grant roles as resource to client.

singlewind picture singlewind on 27 Sep 2017
👍1

what in the world could a role/claim be?
Roles are local to the client.
Claims are remote from the client.
is a role/claim a local/remote object?

From: Yue Zhou notifications@github.com
Sent: Tuesday, September 26, 2017 4:37 PM
To: IdentityServer/IdentityServer4
Cc: Subscribed
Subject: Re: [IdentityServer/IdentityServer4] Merge ASP.net Identity (roles) and IdentityServer 4 (#1560)

@AlexGnatuykhttps://github.com/alexgnatuyk asp.net identity roles will become role claims. Only thing you have to do is just grant roles as resource to client.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHubhttps://github.com/IdentityServer/IdentityServer4/issues/1560#issuecomment-332366115, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AKxq1rnYT4ZrS27zH_KfWKd1IeSy-HUoks5smYq9gaJpZM4PisTf.

TomCJones picture TomCJones on 27 Sep 2017

@TomCJones in some cases you do, just some data you want to share with other applications. Particular you are the owner of these application and you want a single role management store. In most cases, you don't.

singlewind picture singlewind on 27 Sep 2017

@singlewind Sorry, but I don't quite understand how to do this. Can you explain by example?

AlexGnatuyk picture AlexGnatuyk on 27 Sep 2017

@brockallen I had read, but don't found some benefit.I don't understand how to do that. (There's nothing about the role)

AlexGnatuyk picture AlexGnatuyk on 27 Sep 2017

I don't understand the difference between that and a claim.
In any case it is completely beyond the scope of the OpenID Connect protocol.
How you store claims is completely up to you and whatever 3rd party s/w package that you chose.

From: Yue Zhou notifications@github.com
Sent: Tuesday, September 26, 2017 9:53 PM
To: IdentityServer/IdentityServer4
Cc: tom jones; Mention
Subject: Re: [IdentityServer/IdentityServer4] Merge ASP.net Identity (roles) and IdentityServer 4 (#1560)

@TomCJoneshttps://github.com/tomcjones in some cases you do, just some data you want to share with other applications. Particular you are the owner of these application and you want a single role management store. In most cases, you don't.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/IdentityServer/IdentityServer4/issues/1560#issuecomment-332408519, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AKxq1jglYHoJ0z9kn-ZskzohRuWGq-hmks5smdTjgaJpZM4PisTf.

TomCJones picture TomCJones on 27 Sep 2017

@TomCJones You are right. A claim is just key value record. It can be stored whatever format you like. role claim is just one of standard claims. Asp.Net Identity is just a membership system need to be generic to fit different use cases. IdentityServer4's identity implementation did the translation for you and the same as email and phone number claims.

singlewind picture singlewind on 27 Sep 2017
👍1

@AlexGnatuyk
On the server side:

  1. add identity resource role
  2. add role in scopes of your designated client

On the client side:

  1. when configure OpenId Connect middleware, remember put role in the scope list

PS: microsoft configure the key of role claim use their own namesapce key instead of the standard key value. You need configure TakenValidationParameters property to match the value. Or you can implement IProfileService on the server to override the claim list.

singlewind picture singlewind on 28 Sep 2017
👍2

All set on this issue -- can we close?

brockallen picture brockallen on 29 Sep 2017

@brockallen
I am stuck with the same issue.
I need to implement Role Bases Authorization on Api Controller Actions.
The Authorization works well without [Authorize(Roles="Any_RoleName")].
please suggest?

I have posted a question for the same on StackOverflow;
https://stackoverflow.com/questions/50266114/role-based-authorization-for-web-api-with-identityserver4

Thanks.

fawadali123 picture fawadali123 on 10 May 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock[bot] picture lock[bot] on 13 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

osudude picture osudude  Â·  3Comments
user1336 picture user1336  Â·  3Comments
chrisrestall picture chrisrestall  Â·  3Comments
osmankibar picture osmankibar  Â·  3Comments
cixonline picture cixonline  Â·  3Comments