Role-based access control

It’s common to use role-based access control, so even though it we recommend you to use permission-based access control, we will show what needs to be done for the application to check if a user belongs to a role (called group in Authway). To include the groups a user belongs to, you are required to add roles scope to your request.

HTTP/1.1 302 Found
Location: https://YOURINSTANCE.irmciam.se/connect/authorize?
          client_id=YOUR_CLIENT_ID
          &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcallback
          &response_type=code
          &scope=openid roles
          &state=YOUR_STATE

When doing so you will recieve one role claim for each group the user belongs too.

Even though this is straightforward to start with, there are several challenges with the role-based model that often result in many changes related to access control. For many features, it is common that many groups should have access, leading to very large if-statements. In a multi-tenant system (like the IdP, where each customer, reseller, partner, your own organisation itself, etc., is its own tenant), it’s also challenging to guarantee the names of the groups. For this, there is a concept of built-in group in IdP that cannot be renamed, and this must be used for role-based access control.

Example of using role-based access control

C# example

To include the roles a user belongs to, an additional scope and a claim-action must be added to the AddOpenIdConnect configuration:

options.Scope.Add("roles"); //Authway groups
options.ClaimActions.MapJsonKey("role", "role");

options.MapInboundClaims = false;
options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
    NameClaimType = "name", //Or your preferred claim for the user name
    RoleClaimType = "role"
};

With this additional configuration, claims of the type “role” will be retrieved, and since we had set RoleClaimType to “role” above, it means that the standard ways to check role membership will now work:

if (User.IsInRole("admin"))
    ...

eller:

[Authorize(Roles = "admin")]

Tips: IdentityModel is a package that has constants for many Claims which is a better way than using hardcoded strings as the examples above.