I am using Identity server to protect my API. I have defined the ApiResource as this:
return new List<ApiResource>
{
new ApiResource
{
Name = "phone.api",
ApiSecrets={new Secret("secret1".Sha256())},
Scopes =
{
new Scope()
{
Name = "phone.api.full_access",
DisplayName = "Full access to API"
},
new Scope
{
Name = "phone.api.write",
DisplayName = "Write and read access to API"
},
new Scope
{
Name = "phone.api.read",
DisplayName = "Read only access to API"
}
}
,UserClaims=new List<string>()
{
"roles",
// ClaimTypes.DateOfBirth
}
},
And a test user like this:
new TestUser
{
SubjectId = "1",
Username = "Billy Admin",
Password = "password",
Claims = new List<Claim>()
{
new Claim("roles", "phone.api.admin"),
new Claim(ClaimTypes.DateOfBirth,new DateTime(1900,10,10).ToString())
}
}
The api is protected with the following code:
services.AddAuthentication("Bearer")
.AddIdentityServerAuthentication(options =>
{
options.Authority = Config.AUTHAUTHORITY; //"http://localhost:4000";
options.ApiName = "phone.api";
options.ApiSecret = "secret1";
options.RequireHttpsMetadata = false;
});
I have the question if when a client+ access_token (not cotaining the claim 'ClaimTypes.DateOfBirth' , the API will automatically call the user info endpoint in the authority server to get the extra claims are needed. The reason I need the extra claims are fore cheking some policies like:
services.AddAuthorization(options =>
{
options.AddPolicy("Only21", policy => policy.Requirements.Add(new MinimumAgeRequirement(21)));
} );
My tests shows me that it is not calling the userinfo endpoint, and I want to know why. Should I call it in my own AuthorizationHandler<MinimumAgeRequirement>
?
Many thanks.
Badulake's question is an interesting one: how do you manage API claims in an OAuth Architecture in a manner that actually works best for the API?
It is not just an OAuth technology question - it is more of an API extensibility design question. I have found that managing claims data in the API works best, and it is common to use claims caching to make this perform well.
Out of interest, here is a .Net code sample that implements the above architecture:
Recently I've been doing some AWS Serverless APIs and it was interesting to find that the AWS API Gateway also uses this type of approach.