2

I've recently joined a project team and have been tasked with setting up User Roles for the backend of the project. It uses ASP.NET C# WebApi with Owin. My issue is, when I assign an attribute to the Controller Method like this:

[Authorize(Roles = "Admin")]

The response is always Authorization denied for this request. However if I simply use:

[Authorize]

It works. Note that I am logging in with a User that has been assigned the Role of Admin.

I've noticed that this question is similar to: Authorization roles WebAPI oauth owin

However, it seems their code in startup.cs is different somehow, or else I'm struggling to follow the answer correctly.

The code in the startup.cs that I have to work with is:

public void Configuration(IAppBuilder app)
{
    // configure OAuth
    ConfigureOAuth(app);

    // configure Mvc
    HttpConfiguration config = new HttpConfiguration();
    WebApiConfig.Register(config);
    app.UseWebApi(config);
}

public void ConfigureOAuth(IAppBuilder app)
{
    OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
    {
        AllowInsecureHttp = true,
        TokenEndpointPath = new PathString("/token"),
        AccessTokenExpireTimeSpan = TimeSpan.FromDays(1),
        Provider = new SimpleAuthorizationServerProvider()
    };

    // Token Generation
    app.UseOAuthAuthorizationServer(OAuthServerOptions);
    app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
}

Is there something else I need to add in here to allow for Roles or should it be somewhere else in the code. I'm not completely familiar with ASP.NET C# MVC or WebApi, any help is severely appreciated.

Community
  • 1
  • 1
Colum
  • 996
  • 2
  • 8
  • 23

1 Answers1

1

In SimpleAuthorizationServerProvider

you have method like GrantResourceOwnerCredentials

public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context) {
 await Task.Run(
  () => {
      ...logging logic...
      var loginResult = authRepository.Login(context.UserName, context.Password);
      if (!loginResult.Success) return;
      ...logging logic...

      var claims = new List < Claim > ();
      claims.add(new Claim(ClaimTypes.Role, loginResult.Role)); < --here
      var id = new ClaimsIdentity(claims, DefaultAuthenticationTypes.ExternalBearer);
      context.Validated(id);
  });
}

AndloggingResult is something that is returned by your repository/DAL layer

el vis
  • 1,302
  • 2
  • 16
  • 32
  • great, but how do I find say the ID of the user within this so I can retrieve their role from the DB? – Colum Jul 01 '16 at 08:51
  • I edited my answer, you can access context.UserName and context.Password properties – el vis Jul 01 '16 at 08:55
  • should I extend the SimpleAuthorizationServerProvider then, or is there a way to override it from within the Startup? also, I don't see no login method in this Repo. I haven't set up this project or backend, I just have to work with it :/ – Colum Jul 01 '16 at 08:59
  • 1
    @Colum Why don't you ask them, how the stuff works! Are these guys your colleagues or your enemies? – Legends Jul 01 '16 at 09:01
  • Holiday period... doesnt help. Also, I'm not too sure if they knew exactly what they were doing. I believe it was set up by following a tutorial which didn't go near Roles and Claims – Colum Jul 01 '16 at 09:02
  • 1
    The assign roles logic should be inside `SimpleAuthorizationServerProvider` as I said. Open it and find how they assign roles, it should be similliar to my answer – el vis Jul 01 '16 at 09:04
  • Sorry, finally just worked my way around the code, makes more sense now. thanks – Colum Jul 01 '16 at 09:12