search

IdentityServer / IdentityServer3.AccessTokenValidation

OWIN Middleware to validate access tokens from IdentityServer3
Apache License 2.0
90 stars 149 forks source link

validating u #63

Closed talarari closed 8 years ago

talarari commented 8 years ago

If i have an api endpoint that looks like this

[Authorize] [HttpGet] public async Task GetSensitiveData(string userId) validating the jwt token validate the issuer and audience , but where and how do i check the subject claim in the access token matches the user id requested?

should it just be part of the endpoint logic? or is there a more elegant way? some kind of middleware?

also, if my endpoint looked like this: public async Task GetSensitiveData(string someResourceId)

what would be the best way to make sure the user requesting the resouce has access to it? where should this permission (user to resouce) be saved? in the identity server or api?

Thanks!

brockallen commented 8 years ago

Yes, just make the check in your Web API action method.