Use Token from Identity Server for API Calls

I think these old threads relate to what we’re trying to do:

https://support.squidex.io/t/declined-sso-for-end-users/1236

https://support.squidex.io/t/squidex-identity-and-squidex-identityserver/313

We are managing content with a self-hosted Squidex instance.

Currently our mobile app (and soon a web app) authenticates against our Identity Server instance. We would like that the returned token to also provide auth for making API calls to retrieve Squidex content.

We’ve already connected our Identity Server to our Squidex install so you can login with OIDC and access the admin portal. But our mobile app users will only need auth against the content API.

One other important note: we will have several Squidex “apps”. The API permission (which we’ll limit to read-only) should allow that user’s token to access the content from any app. (Though I imagine we’d have to extend the Squidex platform to do this.)

Hi,

this is only possible if you also manage the Squidex users in your identity server.

Right now the users are managed in Squidex (which is using Identity Server anymore). When you login to Squidex a redirect is done to your Identity Server (just IdSrv from now on) and then the user is created in the Squidex database.

What you need is to replace the whole Identity System in Squidex with your IdSrv. Then Squidex is just an normal API (aka Resource) and you can also define the permissions as you want.

There is a setting which is not documented by purpose called AuthorityUrl: https://github.com/Squidex/squidex/blob/master/backend/src/Squidex/Config/MyIdentityOptions.cs#L16

The Environment variable would be IDENTITY__AUTHORITYURL. You can set this to point to your own Identity Server.

You have to use these claims: https://github.com/Squidex/squidex/blob/master/backend/src/Squidex.Shared/Identity/SquidexClaimTypes.cs#L12

Then you can manage the users there and give them the permissions they need. If you do not want to add contributors this should work out of the box.

If you still want to manage contributors you have another issue: To find out whether a user is valid, the following interface is used: https://github.com/Squidex/squidex/blob/master/backend/src/Squidex.Shared/Users/IUserResolver.cs

This is also used for stuff like rule or the whenever we show an avatar.

You have 2 options here:

  1. Implement this interface to query the user information from your identity server.
  2. Use the Squidex API to manage the users in the Squidex database.

Hi Sebastian,

This is great information and points us in the right direction. We’ve been digging into the Squidex code over last few days, and it’s becoming more clear what we need to do.

Our content is not sensitive, but we just don’t like the idea of our content API allowing anon access. So another path we’re looking at is modifying the permissions check so that any validated token (from our Identity Server) would be granted read access via API. Would something like this allow us to leave most of the Squidex auth in place and minimize our efforts? If you have thoughts on this approach, please let us know.

Thanks again!

I don’t see that it would make anything easier.