1

When we build ASP.NET Web API endpoints, we can protect them using [Authorize] attribute and we can use bearer token to authenticate the request and call the endpoint.

My question is about authorization and how we can better grant access to resources once the authentication was successful.

For example if there is an endpoint api/contracts/details and want to restrict access to this for specific people, I am talking about SQL table fields (object properties) or even the whole table. How can this be achieved?

I have a feeling that roles is not the best option here. Any advice?

or

After user registers, he can generate a client_id and client_secret that he must present when requesting the bearer token. I can add the client_id as claim within the token.

In the database I have tables like this:

  • User (user details)
  • Client (client_id, client_secret ... etc)
  • RefreshToken (refresh_token, protected ticket)

I can create another table called Access where I specify all the allowed enpoints (Client Table -> Access Table on to many relation)

Access Table:

  • api/user
  • api/devices
  • api/products

Then I can create a message handler and inspect all the incoming requests. Decode the bearer token, extract the client_id and query the Access table for the allowed endpoints. If the incoming request matches the allowed endpoints then let it pass otherwise reject it.

This should work I guess?

David Dury
  • 5,537
  • 12
  • 56
  • 94

1 Answers1

0

You are best using the roles Attribute, but you will need to create a TokenValidationHandler. Check this excellent answer here

Community
  • 1
  • 1
nik0lai
  • 2,585
  • 23
  • 37
  • I don't need to have a custom token validation process in a delegating handler as the Bearer authentication token does that for me by simply using the Authorize attribute on the controller or action within the api controller. – David Dury Mar 02 '15 at 11:09