locked
Identity Server Limiting what tokens can do RRS feed

  • Question

  • User1358036820 posted

    I am new to token based auth in Identity Server at least.  Normally I work with custom token providers etc and don't really deal with things like grants and scopes etc.

    I understand the purpose of Identity Server is to protect applications like my API's with token auth.  I am however a bit confused on the following.

    1) Say I have  mobile App which is set up in IdSrv as a client.  The token provided is used to access the API and perform various operations.  What do I check if I don't want that token to get any user data.

    2) What do I check if I do want that token to allow request for user tokens.

    App 1

    Standard Mobile app set up as a client and can call Api to do certain things (I know I can do this by policies etc) but I don't want that app to allow access to any user data.

    Another mobile app, this one can act on behalf of user and access certain user data.

    All I am looking for here is the correct terms to read about so I get a better understanding about the above scenarios.

    Any advice appreciated.

    Thursday, December 19, 2019 5:26 PM

Answers

  • User475983607 posted

    If the mobile client is a web browser then there is nothing else to do.  If your mobile client is an application that you wrote then make an HTTP request to get the access token and pass the token on successive requests.  The Identity Server documentation specifically and openly covers this scenario using a console application.  The community has no idea what you used to create the mobile app but you should be able to read the docs to figure out how to make an HTTP request.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Saturday, January 11, 2020 5:25 PM

All replies

  • User475983607 posted

    ammd

    1) Say I have  mobile App which is set up in IdSrv as a client.  The token provided is used to access the API and perform various operations.  What do I check if I don't want that token to get any user data.

    What user data?  The token must have at least the user's Id and claims.  Anyway, you have control over what's in the token.  The quick start covers this information.

    http://docs.identityserver.io/en/latest/quickstarts/0_overview.html

    ammd

    2) What do I check if I do want that token to allow request for user tokens.

    Are you asking about getting an access token?

    ammd

    Standard Mobile app set up as a client and can call Api to do certain things (I know I can do this by policies etc) but I don't want that app to allow access to any user data.

    This has nothing to do with Identity server.  It is up to you to write code that does not expose user data. 

    ammd

    Another mobile app, this one can act on behalf of user and access certain user data.

    Same as above.  It is up to you to design and write code to meet this security requirement.  I assume you would use a claim or role to convey this situation.

    Thursday, December 19, 2019 5:49 PM
  • User1358036820 posted

    Thanks for the reply I will have a read again and come back if I can't find anything.  Appreciate the quick response.

    Friday, December 20, 2019 3:40 PM
  • User475983607 posted

    HI mgebhard

    I appreciate your reply would like to make a few things clear.

    I have the following demo set up very simple.

    public void ConfigureServices(IServiceCollection services)
    {
    services.AddControllersWithViews();

    services.AddIdentityServer(options =>
    {
    options.Events.RaiseErrorEvents = true;
    options.Events.RaiseFailureEvents = true;
    options.Events.RaiseInformationEvents = true;
    options.Events.RaiseSuccessEvents = true;
    })
    .AddInMemoryApiResources(Config.GetApis())
    .AddInMemoryIdentityResources(Config.GetIdentityResources())
    .AddInMemoryClients(Config.GetClients())
    .AddTestUsers(TestUsers.Users)
    .AddDeveloperSigningCredential(persistKey: false);

    services.AddAuthentication()
    .AddLocalApi(options =>
    {
    options.ExpectedScope = "api";
    });

    // preserve OIDC state in cache (solves problems with AAD and URL lenghts)
    services.AddOidcStateDataFormatterCache("aad");

    // add CORS policy for non-IdentityServer endpoints
    services.AddCors(options =>
    {
    options.AddPolicy("api", policy =>
    {
    policy.AllowAnyOrigin().AllowAnyHeader().AllowAnyMethod();
    });
    });

    // demo versions (never use in production)
    services.AddTransient<IRedirectUriValidator, DemoRedirectValidator>();
    services.AddTransient<ICorsPolicyService, DemoCorsPolicy>();
    }

    To be clear the API as you can see is hosted in the same project.

    Controller Has AUthorize attribute

    If I call endpoint like /api/test it redirects me and asks me to log in which is what I expect.

    I just need to make sure I understand this correctly.

    1) The API is itself a client registered with IdSvr?

    2) If the API is a client itself surely it would need some form of authorization code or token?

    From my understanding each client is able to request a token and call API endpoints once they have a valid token.

    Your description indicates that the browser is a client.  The browser tried to access a secured resource and is redirected to Identity Server to login.  A successful login redirects the browser back to the web application with an access token.  The framework places the access token in a authentication cookie.  

    The application become the client when it accesses a secured Web API.  The access is read from the cookie and passed to Web API.  Web API knows how validate the access token using the configuration that you setup.

    Again, this is all explained in the Identity Server documentation. 

    Friday, December 20, 2019 4:07 PM
  • User1358036820 posted

    Thanks again.  The only issue I have now is that how do I set up a mobile client vs a web client.

    Scenario I have 2 apps one mobile one MVC.  MVC app I know how to set up create a client for as this is in samples so no issues here.

    Mobile app on the other hand is not in samples and I am trying to figure how to set up a mobile client and will the mobile receive tokens via redirect or can it request from endpoint e.g /token.

    Basically I think I need to know the grant type as people are using things like hybrid or auth code type.  Which is the best approach?

    Saturday, January 11, 2020 4:05 PM
  • User475983607 posted

    If the mobile client is a web browser then there is nothing else to do.  If your mobile client is an application that you wrote then make an HTTP request to get the access token and pass the token on successive requests.  The Identity Server documentation specifically and openly covers this scenario using a console application.  The community has no idea what you used to create the mobile app but you should be able to read the docs to figure out how to make an HTTP request.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Saturday, January 11, 2020 5:25 PM
  • User1358036820 posted

    @mgebhard Again very appreciated and answered some of the question and I looked into the samples the only thing I did not find was an example for the following scenario.  If you can point me in the direct of articles etc that cover it would be appreciated.

    Client - An app that accesses our API using a token (however, the app can do certain operations without needing a user to be logged in. 

    My Understanding - App is a client conceptually a user.  Correct? (Using Authorization Code flow app obtains a code and exchanges for a token)  here is where I am a bit stuck because all examples take me to login page.

    Now some API endpoints require a User to be logged in?

    Is my understanding correct as follows:

    App can obtain a access_token allowing it to call Authorized endpoints at which point the app is logged in but the user is not?

    If another author authorize endpoint exists for example [Authorize(Roles="Admin"] then another call is made to retrieve an id_token which will allow me to be logged in as a User with appropriate claims?

    Do correct me where I am not right so I can find more information. I have been searching or such example on git but have not found any.

    Thanks

    Thursday, January 16, 2020 10:03 PM