I recently asked a question on stackoverflow in English, however I may have expressed myself poorly and did not get the answer I wanted. Link in English .
I have 3 different applications: IdentityServer which is my identity provider; Teaching.MVC which is the frontend in Asp.net mvc; and Teaching.Api . The latter is Api itself. The authentication process, claims definition, scopes, and everything else is up and running. It turns out that: in Api I need to define specific Api Claims. For example:
IdentityServer : Authenticates the user and provides access_token to ensure Mvc access to Api. This token contains Profile, Email, User Id, and everything else that refers to the user. This application has access only to the Identities database.
Teach.Mvc : Logs in to the IdentityServer and saves the access_token for Api access. This entire process is described in the IdentityServer4 documentation.
Teaching.Api : Here is the key to the question. The Token that the api receives contains the claims referring to the user: Id, profile, email ... But Api needs to restrict the access of certain users to certain resources. Api has access only to the application database, and does not have access to the identity database. So in Api, through the user id, I search if it has registered schools. If so, I must assign him the Claim "Director." This same user can also be a student, so I search the database if it has "enrollment". If so, I give you the Claim "Student". But I have no idea how I do it at the Api level.
Summary: According to the claims received in Api by the access-token, I have to generate new claims, which are specifically from Api, and save them so they can be accessed by the context and validate the Policies. This all in Api.
If someone knows a better way to do this access control, suggestions are always welcome.