- ABP Framework version: v4.4
- UI type: Angular
- DB provider: EF Core
- Tiered (MVC) or Identity Server Separated (Angular): no
I want to create a system where there are two different types of user with possibly different client apps, let's say it's an e-commerce system where I need allow logging for customers and for employees. They obiously cannot use the same features so I wanted do create separate client angular app for customers just like you did in this sample and added separate Client in Identity Server settings. My question is - how can I distinguish these two types of users and prevent one from accesing another's client app. The only possibility I can see is assigning them different roles and authorizing every endpoint. To achieve this I should assign the role automatically when registering user - is there a way to assign it based on what client is calling the API?
Or maybe your IdentityServer module provides different way to achieve it? It's probably a common use case for your framework.
5 Answer(s)
-
0
is there a way to assign it based on what client is calling the API?
Using roles is the easiest way, and they can be assign it if they use different IdentityServer Client.
In short, we can implement these after user authentication.
-
0
Using roles is the easiest way, and they can be assign it if they use different IdentityServer Client.
In short, we can implement these after user authentication.
Thanks for a quick response. Could you provide any steps on how to intercept the event after authentication and extract information about which client called it? I could not find any sufficient documentation for that matter.
-
0
hi
You can check the request and identity in the middleware.
https://docs.microsoft.com/en-us/aspnet/core/fundamentals/middleware/write?view=aspnetcore-6.0
-
0
I might have not been clear - I want to check the client after a user registers so I can set his role. Is this still the best solution? I think middleware is executed with every API call, it would be useful for checking if user has required role but I first need to somehow set it.
-
0
I want to check the client after a user registers so I can set his role
You can also check the URL of the current request to determine the caller, or add a special header to request.