1

I'm developing an application where backend is asp.net owin based. In Startup.cs I have IAppBuilder.useCookieAuthentication() { ... }. After successfully authenticated, current user with its roles can be accessed via HttpContext in all my web api controllers.

My javascript client side needs a knowledge about these roles in order to know how to display specific items. For example: user having administrator role can see additional tabs.

My question is: what's the best way to 'transfer' these roles to client side. Is it by writing some endpoint which will return these roles, or any other way?

Thanks

Jaunius Eitmantis
  • 211
  • 2
  • 11

2 Answers2

1

I totally agree with @cassandrad !

But if you want to access it as plain text, than you have to provide your own implementation of TicketDataFormat in the CookieAuthenticationOptions

public class CustomAccessTokenFormat : ISecureDataFormat<AuthenticationTicket>
{
    // If you want to do custom serialization and encryption
    public string Protect(AuthenticationTicket ticket)
    {
        return "UserName|Role1|Role2|..."; // your raw text serialization goes here
    }

    // Deserilaize and decrypt the ticket
    public AuthenticationTicket Unprotect(string strTicket)
    {
        return new AuthenticationTicket(null, null); // deserialize the plain text here into an AuthenticationTicket object
    }
}
Legends
  • 21,202
  • 16
  • 97
  • 123
0

You don't need to pass information about roles or permission in “raw” state to the client-side. Instead, you should have AuthenticationTicket — the thing that holds all information protected and encrypted. So, if you are using correct implementation of OWIN middleware, there is no need to do something by yourself — middleware will add all the necessary data to your response(inside cookies), client only need to resend this information back to the server next time when he wants to access some resources on the server.

And yes, I'm implying that you shouldn't have any information about permissions on your client-side — it is not secure.

cassandrad
  • 3,412
  • 26
  • 50
  • In my case I need to display specific items on client side based on what roles user have. So I need to somehow 'transfer' these roles to client side. The question is then how to 'transfer' these roles to client side – Jaunius Eitmantis Jun 14 '16 at 17:27
  • 1
    @JauniusEitmantis, you don't need actual roles on the client side. If it is only a question of animation, then you can send anything on the client-side to mark somehow which kind of animation you want to show. If it is a question of displaying some particular information (text), then you can send particular text and make decision on the server side. And if it is some functionality, then you need to prepare all necessary scripts, data and markup on the server-side and then send it to the client-side, depending on a particular role. In general, client-side should not operate such terms, as roles – cassandrad Jun 14 '16 at 19:00
  • could you elaborate a bit more about this? why is it bad idea to hide/show html items based on what role user have? If maliciuos user tries to unhide these elements, he will not get any access to the server anyway and will not see any content, since the server will return unauthorized.. – Jaunius Eitmantis Jul 06 '16 at 18:51
  • It is a bad approach in general. Of course, in case if you only show or hide some html markup, then you are pretty safe. But everything else that depends on roles should be prepared on the service-side to avoid possibility of harmful actions from the user. And if you will place some logic related to permission checks in the server-side and some logic on the client-side, it will look strange and not consistent. This subject is pretty wide and it better to receive good answer in a separate question. – cassandrad Jul 06 '16 at 19:09