Defining scopes, clients and users

We can define a new class in the same project and name it Config class, and create test users, scopes, and clients to test our flow.

Scopes are the collection of claims and are mandatory to be defined, so the claims can be sent out in the response from authorization servers as part of a token. Claims are heavily used when dealing with the authorization scenario.

Scopes are modelled as resources and divided into two types, namely Identity and API. Identity scopes represent any claim, such as role, name, email, or custom claim values, whereas API scopes are used to access the protected resources, particularly APIs.

Identity scopes can be defined as follows in the Config class:

    public static IEnumerable<IdentityResource> GetIdentityScopes() 
    { 
        return new List<IdentityResource> 
        {  
            new IdentityResources.OpenId(), 
            new IdentityResources.Profile(), 
            new IdentityResources.Email(), 
            new IdentityResource { 
                Name = "role", 
            } 
        }; 
    }

Whereas the API scopes can be defined as follows:

    public static IEnumerable<ApiResource> GetApiScopes() 
    { 
        return new List<ApiResource> 
        { 
            new ApiResource { 
                Name = "vendorManagementAPI", 
                 DisplayName = "Vendor API", 
                     Description = "Vendor API scope", 
            } 
        };         
    }

Next, we will define the clients. When setting up the authorization server, we need to specify the clients so that the authorization can register them and return them the token on successful authentication. Once the client is defined, the client can communicate to the authorization and do the authentication and request tokens.

Here is the code snippet to define the client:

    public static IEnumerable<Client> GetClients() 
    { 
        return new List<Client> 
        { 
            new Client 
            { 
                ClientId = "client", 
                ClientName ="MVC Client", 
                AllowedGrantTypes= GrantTypes.Implicit, 
                RedirectUris = {
                  "http://localhost:5002/signin-oidc" }, 
                  PostLogoutRedirectUris= {"http://localhost:5002"}, 
                  Enabled=true, 
                  AccessTokenType=  AccessTokenType.Jwt, 
                  AllowedScopes =new List<string> 
                  { 
                      StandardScopes.OpenId, 
                      StandardScopes.Profile, 
                      StandardScopes.Email, 
                      StandardScopes.OfflineAccess, 
                      "role" 
                  }, 
              } 
        }; 
    }

ClientID is the unique ID of the client, whereas ClientSecrets are credentials to access the token endpoint. AllowedScopes are used to enroll the scopes eligible for the client. If the particular scope is not defined for the client's allowed scopes, the claims associated with that scope will not be enlisted as part of the token returned by the authorization server.

Lastly, we will define users. To understand the concepts, we will take a simple example and use test users that contain some hard-coded values.

To add the users, add the GetUsers method as follows:

    public static List<TestUser> GetUsers() 
    {  
        return new List<TestUser> 
        {  
            new TestUser 
            {                     
                SubjectId = "1", 
                Username = "scott", 
                Password = "password", 
                Claims = new List<Claim> 
                { 
                    new Claim("name", "scott"), 
                    new Claim("given_name","scott edward"), 
                    new Claim("family_name", "edward"), 
                    new Claim("website", "www.scottdeveloper.com"), 
                    new Claim("email", "[email protected]"), 
                    new Claim("role","admin"), 

                }, 
            }, 
            new TestUser 
            { 
                SubjectId = "2", 
                Username = "richard", 
                Password = "password", 
                Claims = new List<Claim> { 
                    new Claim("role","user") 
                } 

            } 
        }; 
    }

In the preceding code, we added two test users with claims. The user will be authenticated by the authorization server through the username and password specified, and the claims defined for each user will become part of the token if they are part of the allowed scopes.

Finally, we will modify the AddIdentityServer and add Scopes (Identity resources and API resources), Clients, and Users as follows:

    services.AddIdentityServer() 
      .AddInMemoryIdentityResources(Config.GetIdentityScopes()) 
      .AddInMemoryApiResources(Config.GetApiScopes()) 
      .AddInMemoryClients(Config.GetClients()); 
      .AddTestUsers(Config.GetUsers()) 
      .SetTemporarySigningCredential();

The default port to run the web application using dotnet run is 5000, and this can also be configured by calling UseUrls when defining the WebHostBuilder instance in your main Program class.

You can either run the application using the IISExpress option or through the .NET CLI command (dotnet run). For this section, we will run the authorization server through the dotnet run command. You can execute the following command to run the server:

dotnet run

Make sure to execute this command on the path where your project file resides.

Once the server is started, navigate to http://localhost:5000/.well-known/openid-configuration and you will see the discovery document.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.218.136.90