Shulou(Shulou.com)06/01 Report--

Whether IdentityServer4 is a rights management system, this article introduces the corresponding analysis and answer in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

We usually understand that IdentityServer4 is an authentication authorization management system, so can we understand that IdentityServer is an identity authentication authority management system?

It is known by its name that IdentityServer4 is to provide a stable identity for users across websites or applications, and the so-called immutability here should be immutable during the session, such as user Id, date of birth, and so on.

But IdentityServer4 is not suitable for letting the client or API know what users are allowed to do, such as reading a document.

Because, in the final analysis, IdentityServer4 is a Token service, some children's shoes who know IdentityServer4 may say that it is not a particularly good medium to construct user rights through declarations. Why, of course, for the following reasons.

The declaration itself is used to build the user's identity, not permissions.

The declared data structure is very simple, just a string, while the permission data structure is very complex.

User permissions depend on different clients and APi, and it is obviously problematic to put user rights in a single identity, so is it possible to obtain them on demand? This is a question that needs to be considered.

User permissions may change throughout the session, when you need to re-obtain the Token, but the way to get the Token requires UI interaction.

Permissions and business logic may overlap, how to demarcate the boundary at this time?

Sometimes we may transmit Token over URL, but the length of the browser URL is limited. Wouldn't it be a problem if the user rights are stored in the declaration?

Based on the above points, I personally think that identity and user rights cannot be mixed. In the final analysis, IdentityServer4 is not created for user rights at all, nor does it provide a corresponding solution. We still need to do a lot of extra work to achieve user rights.

Of course, if the project is small or plays in private, it's not a problem to declare it as a permission and then return it through Token, but what I'm trying to say is that IdentityServer4 is not used as a user rights management system.

Here we also need to introduce another concept, that is, role, we connect identity, role, and permissions together, which seems to be very smooth, what role the user's identity belongs to and what kind of permissions are assigned to the role. At this time, it seems that it is okay to grant user permissions with a declaration. In fact, if the authorization of a user is based on the user's identity, it is very desirable to use the user's rights through a declaration.

Some people may wonder again that there is a Scope or scope in IdentityServer4, so it can be used as a user right. Please don't label it casually. Scope in IdentityServer4 refers to the granting of client permissions, not user permissions.

Declarations are used to build identities rather than user permissions, and cannot be mixed with permissions in Token services, and if user authorization is based on the user's identity, then the use of the declaration is fine.

The answer to the question about whether IdentityServer4 is a rights management system is shared here. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.