IdentityServer / OIDC claims and roles

Andrew_Evans · November 7, 2019, 11:15pm

Hope you can help.

We are hosting our own Squidex and have setup authentication against our separate IdentityServer 4 server by setting the OIDC settings is appsettings.json. I am a bit confused - we have many users who can login to IdentityServer - some should be able to access Squidex and some should not. The ones that can access Squidex we want to have map to different Squidex roles - admins etc. What roles or claims do we need achieve this?
Example
Joe Bloggs is a valid IDS user and should be able to access Squidex as an administrator
Jane Doe is a valid IDS user and should be able to access Squidex as a content author
Jim Beam is a valid IDS user but should not have any access to Squidex

Any advice is really appreciated

Sebastian · November 8, 2019, 6:12am

You cannot stop people from using Squidex, BUT…

You can map users to become admins:

Give them an admin permission

The claim types: urn:squidex:permissions=squidex.*
https://github.com/Squidex/squidex/blob/835274396f58f9b9f8f11bab8956639337a97a5b/backend/src/Squidex.Shared/Identity/SquidexClaimTypes.cs

The permissions:

github.com

Squidex/squidex/blob/381d292b202a776505f1f30532fb8bb27a6033c6/backend/src/Squidex.Shared/Permissions.cs

// ==========================================================================
//  Squidex Headless CMS
// ==========================================================================
//  Copyright (c) Squidex UG (haftungsbeschränkt)
//  All rights reserved. Licensed under the MIT license.
// ==========================================================================

using System;
using System.Collections.Generic;
using System.Linq;
using System.Reflection;
using Squidex.Infrastructure;
using Squidex.Infrastructure.Security;

namespace Squidex.Shared
{
    public static class Permissions
    {
        private static readonly List<string> ForAppsNonSchemaList = new List<string>();
        private static readonly List<string> ForAppsSchemaList = new List<string>();

This file has been truncated. show original

Disable the creation of apps:
https://github.com/Squidex/squidex/blob/835274396f58f9b9f8f11bab8956639337a97a5b/backend/src/Squidex/appsettings.json#L67
Lock new users automatically:
https://github.com/Squidex/squidex/blob/835274396f58f9b9f8f11bab8956639337a97a5b/backend/src/Squidex/appsettings.json#L464
Use appropriate roles for your other users when you invite them to the app.

Andrew_Evans · November 8, 2019, 8:16am

Thanks so much Sebastian for your quick reply