Identityserver4 with multiple (custom) user stores - multi-tenant

We're designing a green field multitenant (web/mobile) system, and plan to use IdentityServer4.
I lieu of first-class multitenant support in IdentityServer4 we're looking into having separate user stores per tenant. When trying to figure out how to go about doing this, I've looked at the implementation of https://github.com/IdentityServer/IdentityServer4.AspNetIdentity
It appears to be registering an implementation of IResourceOwnerPasswordValidator, which only is called when using the 'Resource owner password' grant type.
Which interfaces should be implemented and registered to support custom/multiple user stores in the other (e.g. implicit) grant types?
--
Thor A. Johansen

Interactive login logic goes into the "account controller". You can use the acr_values parameter (or some custom parameter) to indicate the tenant ID from the client and then retrieve that in the controller via the IIdentityServerInteractionService.GetAuthorizationContext method.

Related

Spring Security: Creating multiple entry point for securing different rest controllers

I'm exploring the Spring framework, and in particular I am working on a Cinema Management Application that will be connected to a React.JS SPA (Single Page Application).
The problem is the following. On my database I do have three different tables representing three different types of users, namely Admin, Customer, and Cinema_Employee.
For each type of user, I created a #RestController with a list of RequestMethods that a particular user is able to perform:
"/admin"
"/customer"
"/employee"
What I am trying to achieve now, it's to secure each endpoint offering three different login pages that will handle the authentication the respective type of user.
How can I set up three AuthenticationManager that handle different Authentication objects within a SecurityConfig class given these requirements, and most importantly, how can I override the Authorisation mindful that each user once has logged in, will have access only to the respective endpoint?
I looked carefully at other examples online, and most of them are radical different, following a pattern where the database has another additional 'Authorities' table aside the 'user' one that stores the credential. In my case this solution cannot be applied, not only because the whole design would become redundant, but also because the name of the table where the application will perform the authentication check against, explicitly imply the authorisation that a given user has inside the system.
Your design sounds strange to me.
A user should have a role, e.g. Admin, Customer, Employee and based on the user's role he gets access to methods or not. Have a look at role based access control concepts. For Spring Security there is for example this tutorial:
https://www.baeldung.com/role-and-privilege-for-spring-security-registration

.Net Core Microservices different User Type based on IdentityUser

I am pretty new to Microservices and I am confused how to easily manage different type of user through all microservices.
Let start with thee Idea:
I have a list of UserType like : SiteManager, Driver, Owner, SupportPerson- this user types had specific properties each and using a single type [USER] is not relevant, but I can use roles to manage authorization for specific microservice - this can be achieved using role manager. I would like to have different user types and Link Models to an IdentityUser like:
Driver [UserId, LocationPoint, CurrentVehicle,LicenseNumber].
Owner [UserId,Email...]
SiteManager[UserId,SiteId,Email,LocationPoint]
This 3 Types of User will handle 3 different Mobile Applications, and each application will bind to an API, or an AggregatorAPI
Identity.APILogin (create user token and pass across Services). Register -> Register a USER and return USER_ID
Driver.API Register a Driver (Call to Identity.API and get a valid User ID then create a Driver Entity), Do stuff on Driver.API
SiteManagerAPI Register SiteManager(Call to Identity.API and get a valid User ID), create order for drivers
Identity User should be a separate DB
So my questions is: Can I call my IdentityAPI microservice to create and save a new User, then I can use this
UserId to link to a new Driver Or SiteManager or SupportPerson, and in the same time using Identity microservice to Manage Authentification and Authorization? Or maybe someone has any ideas how to handle a multi-user type scenario when for each user type we need a separate table.

Role based access to service methods using spring and mongodb

I have a requirement where I need to use role based access to service methods. I have restful services and i use spring-data to interact with MongoDB.
There are some of the restrictions that I have. I deal with a document in DB called "Organization". In each organization, I know who are the Admins. I do not have a repository of users who can access the services.
So the only way I can enforce some access based rules is to check if the logged in user is one of the admin's configured for each organization and then allow the user to access the methods.
Should I think of applying Spring security in this case? Otherwise will a simple check on user against the configured admins in the database document help? Can I make this check at a single point so that I can apply it to service methods based on my use case needs.
Please provide your suggestions / thoughts on how to go about this.
If you use Spring Security your rest methods can take advantage of a passed-in authenticated Principal object (example here) whereupon you can do whatever extra validation desired (such as checking if the admin is good for the given organization requested, etc.) There are many other parameters also available, perhaps allowing for this org checking to be done once and stored in the session object.

Changing request level for google project

How do I lower the requested access level of an existing google project?
It's currently asking for:
View your email address
View your basic profile info
Manage your contacts
When all I really want is to authenticate a user for login purposes, and I think all I need for that is:
Have offline access
One of the parameters you are passing when you create a credential is called scope, and contains a list of each of the services your users must authorize.
From the OAuth 2.0 docs, scope contains a string or iterable of strings. Change it to the new scopes you want.

Access User details in membership of Asp.Net MVC application

I am using the default membership authorization that is created when you start a new project in VS for MVC 3. When a user is registered (either if I do it for them in the Administration page or if they register themselves through the Register page created in the application), there is an email field for instance. But where is this stored? Shouldn't I be able to access that e-mail somehow? I can't find it in the User object...
Also, is it possible to add more fields when they register, and to access those as well? For instance address, phone number, etc?
1. Getting the e-mail
You can access the property from the current user by using the Membership object.
Membership.GetUser().Email
2. Extra Fields
The best way to add more fields to the register process is to make another model called UserDetail or something. And make a relationship between User and UserDetail.
Or you throw away the default membership authorization and make a custom one. Here are some handy links:
http://msdn.microsoft.com/en-us/library/f1kyba5e.aspx
http://www.asp.net/learn/videos/video-189.aspx
http://www.15seconds.com/issue/050216.htm
http://davidhayden.com/blog/dave/archive/2007/10/11/CreateCustomMembershipProviderASPNETWebsiteSecurity.aspx
For the extra user fields you can use the ASP.NET profile provider.
here is a good article about how to implement it:
http://ashuthinks.wordpress.com/2012/01/08/asp-net-mvc-profile-provider/

Resources