Authorization in ASP.net5

Question

I am trying to see if there is something "out of the box" in ASP.net5 for authorization for my application needs. I am using a group/permission based approach for authorization. Using Identity3 I am using Role as Group and then I have created permissions from this. Each permission has a resource that it links to and 1 or more values, like:

Resource = Page, Permissions = Add, Update, View, Delete

Another complication is that the groups have dynamic names, and dynamic permissions!!

I have started to read about authorization in ASP.net5 and it seems that I have found something called Policies, which sound good. It seems to force you to use Claims, which is possible if I use a ClaimsTransformer to get all my permissions and add them as claims from the Db. But am I right in thinking that I would have to create a policy for each Permission, on each resource? That seems like a lot of setup.

Is there anything that I do not know about is already built in ASP.net5 that I could use? Like an attribute like this

[Authorize("Page", "Delete")]

Which I could add to the PageController Delete method.

If I have to use some sort of service and DI that into the controller to implement this, then that would be fine as well.

Answer 1

There is a ClaimsPrincipalPermissionAttribute that can fit to your requirements.

Or you can implement your own AuthorizeAttribute.

Answer 2

I use AspNet.Security.OpenIdConnect.Server for authorization. But you can also have a look at OpenIddict

In any case you can add the Authorize attribute to any method you want like this

[Authorize(Roles = "Administrator,SimpleUser,AnOtherRole")]
public void MyMethod() {}

Answer 3

Resource based authorization might fulfill your needs, but I am a little confused with the page being the resource, rather than what the page acts upon.

Taking your Page/Delete combination, I would imagine that rather than the resource being Page, your Page Delete action takes a parameter, indicating the page that is to be deleted? (If this is not the case then this approach isn't going to work of course)

In this case you'd do something like

[Authorize]
public class PageController : Controller
{
    IAuthorizationService _authorizationService;

    public PageController(IAuthorizationService authorizationService)
    {
        _authorizationService = authorizationService;
    }

    public Delete(int pageId)
    {
        var page = pageRepo.GetPage(pageId);
        if (await authorizationService.AuthorizeAsync(User, page,  Operations.Delete))
        {
            return View(page);
        }
        else
        {
            return new ChallengeResult();
        }
    }
}

In order to enable this you're write a handler based on page and an Operations requirement (or any old requirement, but a parameterized operations requirement means you can write a single handler and branch accordingly).

We tried very hard to move away from putting data in the attribute, and move it into requirements, because data in attributes is, to be frank, a maintenance nightmare.

One other thing to note; as handlers are resolved through DI you could inject your user to permissions resolver into the handler, which would avoid using claims transformation.

Answer 4

ASP.NET provides authentication mechanism out of the box which is easy to use, example:

public class HomeController : Controller
{
    [Authorize]
    public ActionResult Index()
    {
        ViewBag.Message = "This can be viewed only by authenticated users only";
        return View();
    }

    [Authorize(Roles="admin")]
    public ActionResult AdminIndex()
    {
        ViewBag.Message = "This can be viewed only by users in Admin role only";
        return View();
    }
}

Check this tutorial

Or if you want more sophisticated mechanism you can implement your own memberhsip provider based on the ASP.NET Membership Provider