Identity Server Implementing Group Based Permissions Management

[RanaNoureddin]

Hi, I am going one step further, and building out a more advanced, "permissions management" model on top of the basic Users/Roles paradigm represented by the Identity Server core. I am proposing the addition of what appear to be authorization Groups to the identity mix. Groups are assigned various combinations of permissions i.e identity server roles, and Users are assigned to one or more groups.

Any tips or tutorials on this would also be extremely helpful.

Thanks in advance.

[brockallen]

Well, IdentityServer is providing claims about a user. This is identity information, not necessarily permissions. Permissions are usually checked at authorization time when a resource is being requested, which is typically in an application. Have a look at the ClaimsAuthorizationManager or here: https://github.com/thinktecture/Thinktecture.IdentityModel/tree/master/source/Owin.ResourceAuthorization.Mvc

https://github.com/thinktecture/Thinktecture.IdentityModel/tree/master/source/Owin.ResourceAuthorization.WebApi

for the modern authorization programming model.

[dealproc]

@RanaNoureddin I did a similar concept as you... We modeled how TeamCity provides permissions by roles and groups to accounts. I'm chatting with a few of the folks on JabbR with regard to refactoring that work into a generic project to publish to github once we are satisfied with it. I cannot provide an ETA at the moment, but will warn that it's not the easiest thing to get in place.

[RanaNoureddin]

Thanks for the quick response! Can I modify AuthorizationManager/AuthorizeTokenIssuance method to verify relying party user's permissions since IdentityServer check access at authorization time when a resource is being requested.

is that possible?

Best Regards,

[brockallen]

You can customize the claims issued from IdentityServer based upon the RP requesting the token. Look at the IClaimsRepository extensibility point.

[RanaNoureddin]

@brockallen Sorry, did you mean modifying IClaimsRepository by adding permission, or I misunderstand you.

Thanks in advance.

[brockallen]

Maybe I'm not clear on what you want - do you want to issue different claims to different RPs? Or do you want IdSvr to not issue a token to certain RPs?

[RanaNoureddin]

@brockallen I want to apply ResourceAuthorization.Mvc technique with Identity Server, for example a teacher (role) can add (action) course (resource), i.e. my permission here is add course.

so I thought the solution is modifying Identity Server\ AuthorizationManager to check if the current user role has the requested permission (action-resource) or not.

of course I need to modify the data base by adding permission.

I hope everything is clear now. If not, let me know.

Thanks in advance...

[brockallen]

And you want to make these changes to IdentityServer itself? So you have web pages that allow users to do this management of the data in the DB and you want to control authorization to these updates?

Given the size of this and potential complexity, I might suggest making this admin application a separate application. It can be a RP using IdSvr as the STS. Then in the app you can use the resource authorization to the pages that would update your DB. But my main suggestion is to keep this code outside of IdSvr so you don't have to change the main codebase of IdSvr.

[RanaNoureddin]

@brockallen if I create this admin app and install thinktecture.IdentityModel to use authorization manger, how to make it like IdSvr,i.e. each request from any app will process by the previous app.

Thanks in advance...

[brockallen]

I don't understand this last question.

[RanaNoureddin]

@brockallen you suggested to me to build a new app to control authorization process,but I need to centralize this app to make sure that every request from any RP will be handled with it like IdSrv exactly, my question how to do that.

for example I should build the RP A as suggested, which handles authorization process using resource authorization, and RP B, when I request a page from B, of course the request will be handled with IdSrv first to be authenticated, after that I want the request to be authorized by A, then if succeeded it should returned to B, how this could be done.

Thanks in advance...

[RanaNoureddin]

@brockallen I think I 'm gonna use thinnktecture.IdentityModel with each RP to implement authorization manager, but still I need a way to bind Identity Server roles with my couple (action,resource).

you have talked about Integrating Thinktecture IdentityServer database with an existing database, does IdSrv support Oracle.ManagedDataAccess.Client provider?

Thanks in advance...

[brockallen]

Using the resource authorization in each RP makes sense -- it's at the RP where you need to implement authorization.

Right now IdentityServer supports an interface for the configuration system and you can implement this to store the data anywhere you want. We also have a EF implementation, so if your DB supports EF then using that approach might save you time and effort. See this repo: https://github.com/thinktecture/Thinktecture.IdentityServer.v3.EntityFramework

[RanaNoureddin]

@brockallen Thank you for your really kind cooperation, just I want to know which version that supports what you have said, by the way I am working on version 2.

and I know that EF is database independent but it requires EF ADO.NET provider to be supplied for the database, in my case I use Oracle.ManagedDataAccess.Client provider as I mentioned earlier, then my DB supports EF, is that correct?

Thanks in advance...

[brockallen]

Oh, yes, IdentityServer v2... well those repositories are also abstracted out and we do have an EF implementation -- so really the answer I gave above.