2

So my company (let's call it CompanyA) have a case where my users/clients can use their company Identity Provider (OpenID) to login to our products (web-based). I provided a REST API (net core) where they can access and modify their own settings for OpenID.

For API access, they will also authenticate using their own company account. This API has a methods where some of them are only allowed to be accessed by internal (CompanyA). For example:
I have 3 methods

  1. Client/List -> can be accessed by internal and external (but external can only view their own)
  2. Client/Add -> can be accessed by internal and external
  3. Client/Remove -> can be accessed by internal

Now, the problem is that since I have no access to their Identity Provider, I can't exactly control what kind of claims are present in the token.

My method has something like [Authorize(Roles = "Admin")] to tell whether a user has access. So, my question is what is the best practice for this kind of case? And I do have a DB where I can check whether logged in user (by email) has access. Is it possible for example after successful login, I will check the token and get the email value from the token and apply Roles accordingly?

tickwave
  • 3,335
  • 6
  • 41
  • 82
  • 1
    I had exactly the same question - how do I insert an activity in the login even that goes into a database and looks up more claims to be attached to the security structure so it can be utilised by decorators. and here it is... https://stackoverflow.com/questions/43343399/capturing-login-event-so-i-can-cache-other-user-information – Nick.Mc Aug 03 '21 at 04:07
  • The question shows you how to intercept the login event and add a claim (that is recognised by decorators). Hopefully you can work out the database lookup bit yourself. If not I can try and track down my code. – Nick.Mc Aug 03 '21 at 04:09

0 Answers0