I am using IdentityServer4 for protecting my .net core app. I would like to use Policy-Based Authorization
Here is example of one policy I did
options.AddPolicy("api.order.write", builder =>
builder.RequireScope(
"app.write", "app.read", "app.order.read"));
I would like to grant different scopes for different roles. For example user with role Viewer will have only app.read scope. So during login request web client send request to identity with list of all scopes we have in app, but than it should handle and return token with role based scopes. I think I can implement custom IProfileService and check user roles there and add claim with scopes, but maybe there is already solution for this. Do you have any ideas ?
UPD: I created custom IProfileService and I am checking user role and than set specific list of scopes like this
//removing existing scopes if such exist already
context.IssuedClaims = context.IssuedClaims.Where(x => x.Type != "scope").ToList();
foreach (var scope in viewerScopes)
{
context.IssuedClaims.Add(new Claim("scope", scope));
}
but I still receive all scopes (not per role), the same list of scoped which web client sends during login request.
