How to implement authorization in the dashboard module #1097
Comments
|
Our Dashboard does not display different views according to different identity roles, so as long as the authentication is passed, all views can be seen and operations can be performed. You need to control the systems that the company's users can access in the OIDC server system, not here |
|
Thank you for this very fast response. The problem is that we use the Duende identity server that is compatible with OpenID, but we only use it for authentication, not for authorization, so we always delegate the authorization to the microservices. and we can't think of how to limit the use of the dashboard to a reduced set of company users who use our identity server. |
|
Well, I thought maybe you could add some logic at the custom AuthenticationHandler to suit your needs. PS: In our SSO system, there is a table to store the clients that the user can access. And override the FindClientByIdAsync in the IClientStore interface, when the method is called, it will get the user from the context and verify whether it has access rights. public class ClientStore : IClientStore
{
private readonly HttpContext _context;
private readonly ILogger<ClientStore> _logger;
private readonly IResourceManager _manager;
private readonly IUserManager _userManager;
public ClientStore(IResourceManager manager, IUserManager userManager, IHttpContextAccessor accessor,
ILogger<ClientStore> logger)
{
_manager = manager;
_userManager = userManager;
_logger = logger;
_context = accessor.HttpContext;
}
public async Task<Client> FindClientByIdAsync(string clientId)
{
//When an SSO user logs in to another system, check whether the user can log in to the target system
if (_context.User.IsAuthenticated())
{
var userId = int.Parse(_context.User.GetSubjectId());
if (_userManager.ClientValidate(userId, int.Parse(clientId)))
{
if (await _userManager.CheckRequire2FAAsync(userId))
{
throw new DomainRedirectException("You need enable 2FA!","/Account/Require2FA");
}
_logger.LogDebug($"Logged-in User Find Client Success. Id: {clientId}, UserId: {userId} ");
return ConvertToClient(await _manager.GetClientAsync(ConvertClientIdToInt(clientId)));
}
_logger.LogDebug($"Find client failed. Razon: No authority. Id: {clientId}, UserId: {userId} ");
throw new DomainException("You do not have access to this system", 401);
}
_logger.LogDebug($"Find client success, Id: {clientId}");
return ConvertToClient(await _manager.GetClientAsync(ConvertClientIdToInt(clientId)));
} |
|
Thank you very much for the suggestion, we will see if it can be applied to our SSO or we have to apply another alternative. We will write down the final result in the incidence in case it can be useful for other companies Once again, thank you very much for your work :) |
|
We are testing with the Auth example and our Identity server with this config: But it does not work because the authentication is not being launched against our identity server. If we change the code of CAP.BuilderExtension.cs to this now is working well.... Is this a bug or are we doing anything bad ?. Thanks!!! |
…f dashboard authentication. #1097
|
Oh, I think It's a bug. Challenge should be executed first, I released a preview version to fix this in a few minutes ago. You can test it with the version // Set to false or remove this line if you does't needs custom authenticate.
d.UseAuth = false; |
|
ok, now the process is better understood. |
Thanks for this great library.
We are implementing it in our microservices and we understand how to authenticate users with the dashboard module, but... How can we limit their access, that is, how can we say who can access it specifically?
In the example it only shows how to configure the authentication but not the authorization to limit access to specific users of a company....
Thank you very much!!
The text was updated successfully, but these errors were encountered: