IdentityServer4 Claims-Based Policy WebAPI Security

Summary

Tutorial 6 demonstrates how to implement claims-based policy security in a WebAPI using IdentityServer4 to achieve granular access control.

Abstract

This tutorial is the sixth in a series that focuses on securing WebAPIs. It builds upon the knowledge from Tutorial 4, where basic JWT security was established using the "Authorize" attribute. The current tutorial delves into the implementation of policy-based security to refine access control, specifically for role-based operations. It outlines a use case where only admin users are permitted to delete data in the EmployeeProfile WebAPI. The tutorial is divided into three parts: setting up an admin role and assigning users to it via the IdentityServer4 Admin UI, configuring oAuth2 scopes to include roles in the access token, and implementing a policy within the WebAPI to restrict the delete action to admin users. The process involves updating configuration files, adding code to set up the policy, and applying the policy at the action level in the controller. Testing instructions, a login account, and links to the Angular SPA and WebAPI Swagger interfaces are provided, along with the source code repository for further reference.

Opinions

The tutorial emphasizes the importance of granular access control for secure WebAPI operations.
It suggests that using IdentityServer4's Admin UI simplifies the management of roles and user assignments.
The inclusion of roles in the access token is highlighted as a crucial step for enabling role-based policies.
The tutorial advocates for the use of policy-based authorization to enhance security beyond basic authentication methods.
It provides a practical example of securing a REST API endpoint, demonstrating the real-world application of these concepts.
The tutorial is part of a series, indicating a structured approach to learning WebAPI security with IdentityServer4.
By providing a test drive section with a sample login account, the tutorial encourages hands-on learning and experimentation.
The availability of the source code on GitHub offers transparency and a resource for troubleshooting or further study.

Tutorial Content

Use case: Let’s say you want to do role-based access in your application. For example, only admin users can DELETE data in the sample EmployeeProfile WebAPI (from tutorial 4). See Figure 1 for the Swagger of the Employee Profile API.

Figure 1 — EmployeeProfile WebAPI in Swagger

This tutorial contains three parts

Setup admin role and assign users to the admin role using IdentityServer4 Admin UI

Configure the oAuth2 scope to include “role” in Access Token using IdentityServer4 Admin UI

Implement a policy to limit Delete action to only users in the admin role

Part 3 — Implement a policy to limit Delete action to only users in the admin role

Task 1 — Update appsettings.json with a configuration setting of the admin role name. See Figure 5 (line 22)

Figure 5 — Admin role name settings in the appsettings.json in the EmployeeProfile WebAPI

Task 2 — Add code to setup Policy. See figure 6.

Figure 6 — code to setup add authorized policy

Task 3 — Add the policy to the Authorize attribute at the action level in the controller. See Figure 7.

Figure 7 — Add a policy to the “Authorize” attribute

IdentityServer4 Claims-Based Policy WebAPI Security | Tutorial 6

Prerequisites

Tutorial Content

Part 1 — Setup admin role and assign users to the admin role using IdentityServer4 Admin UI

Part 2 — Configure the oAuth2 scope to include “role” in Access Token using IdentityServer4 Admin UI

Part 3 — Implement a policy to limit Delete action to only users in the admin role

Test Drive

Source Code

Related Tutorials

Summary