0
votes

I have the following projects:

  1. Identity Server 4, with ASP.NET Identity as a user store for all users of all my apps.
  2. .NET Core 5 Web API
  3. Xamarin app

The flow goes like this:

  1. User logins from the Xamarin app (3) and is authenticated against IdentityServer (1)
  2. User receives an access token from Identity Server, that contains the sub claim
  3. User makes a request to the Web API (2) using the access token
  4. The Web API (2) checks its own database for user permissions

----QUESTION/PROBLEM IS HERE-----

Should the Web API add these user claims (permissions) to the access token, OR should the Web API always check the database for the user permissions on every request made from the client?

  • Maybe I could add the claims before authenticating with IdentityServer, but this would mean that IdentityServer would have access to the Web API's database. I believe this is not a good practice because of separation of concerns.

  • Another solution would be to introduce a caching mechanism when the Web API validates the token, so that it doesn't always check the database.

  • Using claims transformation, it is my understanding that I can add the claims to this 1 request only, meaning that the next time a client makes a request, claims transformation should happen again, since it doesn't return a new access token to the user.

Ideally, I would like the Web API to add the claims to the access token so that the Web API can trust these claims on all subsequent requests. I cannot find a way to do so, though. I've searched for Claims Transformation, IssueJwtAsync (IdentityServerTools), IProfileService, but I think none of these are solutions to this problem.

Is this good architecture? Please do share your opinions on this subject and potential solutions.

Thank you very much!

1
If you decide to go with custom claim transformer, you can do caching inside claims transformer. Complete solution here: stackoverflow.com/a/63441045/14072498 - Roar S.

1 Answers

0
votes

You need to add these permissions in web api, because users need to access the corresponding resources according to these granted permissions. And permissions are granted when the user logs in for the first time, without the need to access the database in every request.

In this case, you can use Claims Transformation. This link has more detailed steps which can solve this problem.