OpenIddict: Change permissions/claims for existing users

Hello,

I am not well versed in this area (learning more as I type this!) but I hope what I am saying makes a bit of sense.

We have an OIDC implementation to log into Squidex which is working, however the claims specified are set as permissions when the user first logs in and are not updated on subsequent logins. This means we cannot update the permissions for existing users without either deleting the user and getting them to log in again (but this unlinks their account from changes so you see a lot of ‘Unknown’ in the ‘Last Updated By’ and similar fields), or by manually updating the permissions which can be quite onerous when you have over 100 accounts to update.

Is there a way of specifying a user’s permissions should be updated on login or should that be happening anyway and our implementation could be wrong?

For example lets say a user logged in when our claims specified the below:

squidex.apps.testapp.assets
squidex.apps.testapp.contents.*.read
squidex.apps.testapp.contents.testschema.create

But we release a new version of our login provider that says that user should have following claims:

squidex.apps.testapp.assets
squidex.apps.testapp.contents.*.read
squidex.apps.testapp.contents.testschema.create
squidex.apps.testapp.contents.testschema.update

That last claim is never assigned to the user as a permission. They are stuck with just:

image1114×370 23.7 KB

Any guidance would be greatly appreciated!

Your description of the behavior is correct. The claims are copied to the user in the database when the user is created. When you login these claims are added to the JWT token, which makes it worse, because you have to login again when your permissions change.

A more correct behavior would be to enrich the user information in the API with the permission on each request. This has performance implications that are probably acceptable, because the majority of the requests are coming from clients, not users.

If there would be such a mechanism it would be possible to query the permission from an external system. Unfortunately there is no standard or specification for that.

We could probably sync the claims on each login but I think it does not really solve the issue.

Apologies was meant to reply yesterday but a load of different issues came in to distract me! Thanks for your quick response as usual.

Syncing the claims on each login sounds like it would probably fix our specific issue but obviously you have a lot of other users to consider so if it’s more of a mitigation than a proper fix I can appreciate you not wanting it in the code.

I think what we really want to aim for is mapping our AD Groups directly to Squidex Roles so we have better visibility and control over the permissions (making full use of Squidex’s RBAC), so perhaps I can try making API calls to Squidex to assign users to an app or something based on their claims…feel like I am entering dodgy territory!

Having said that I need to look into what happens when a user is assigned permissions at the user level, but is also assigned to a role within an App; would you expect permissions from both to be aggregated or does the App role just get ignored?

But does it really solve the problem? I mean it works when a user gets permissions, but if you remove permissions it takes a while.

The permissions are merged: https://github.com/Squidex/squidex/blob/master/backend/src/Squidex.Web/Pipeline/AppResolver.cs#L83

Oh excellent! Will give that a try and see if I can automate Role assignment somehow, being able to use the Squidex App Roles also means we have full API control over it so am pretty confident we can.

Worst case scenario would be having to manually assign contributors to roles which should be manageable for us.

You can also provide a PR and we can have a look to the details.