Role based Authorization on WebApi Controllers in IdentityServer4?

1.3k views Asked by At

If I have two .net core WebApi Controllers, AdminController and UserController (in one project). And both requires authorization then how can I set them as 2 scopes in IdentityServer4 so that Admin user would have access to both controllers but simple user could not access Admin controller but simple user controller only? My client is of Angular 2 type. And is there any example where Role based authorization is also shown ? Thanks,Maverick

1

There are 1 answers

0
Christer On BEST ANSWER

Not the definitive answer to your question probably (since it doesnt involve 2 scopes) - but it might lead you somewhere.

Im assuming your using the TokenValidation middleware, and that your api is setup using IdentityServerAuthentication

You can have a role claim, which indicates what role the user has (ie. user, admin). Then you can put up a check on the role for the admin api using the [Authorize(Roles="admin")] attribute, and for the user api, just use [Authorize] which ensures that a user is logged in, or specify both roles as a comma separated list ([Authorize(Roles="admin,user")]) if needed.

i.e:

[Authorize(Roles="Admin")]
public class AdminController : ApiController
{

Here is a link to the docs on the Authorize attribute for .net Core:

https://learn.microsoft.com/en-us/aspnet/core/security/authorization/roles