0

Suppose, I have two models:

class Customer {
    public GUID CustomerID { get; set; }
    public IEnumerable<User> SubscribedUsers { get; set; }
    //other fields
}

and

class User {
    public GUID UserID { get; set; }
    //other fields
}

I want to implement BL with ASP.NET Identity for limitation of auhorization: if user is in SubscribedUsers - Access is granted else - denied.

I dont ask you to implement it for me. Just give me best practice how can I do it and where I can weite this wrap of business logic...

I think I have to implement custom OAuthAuthorizationServerProvider, have I?

pavel
  • 1,736
  • 1
  • 14
  • 23
  • I do not know if this works in mvc4 as well. You could perhaps use a filter attribute. Take a look at the example here: https://stackoverflow.com/questions/43802683/folder-authorization-in-asp-net-identity-2-1/43807504#43807504 You can lookup the subscription from the database. –  Jun 09 '17 at 19:28

1 Answers1

0

I think the easiest way is, to add a new Claim (https://learn.microsoft.com/en-us/aspnet/core/security/authorization/claims). Call it SubscribedOnly and add this claim to the specified user (How to add claims in ASP.NET Identity)

In general I would try to find a built-in possibility to solve youre problem, before you try to overwrite something.

The authorization-logic will be placed in your controller. You can put this attribute [Authorize] on top of your Controller (which means that every ActionMethod is only available for logged in users) or on top of every ActionMethod which access should be secured.

Working with this attribute is very easy and straightforward for a wide range of implementations!!

If you´re looking for a good ressource to understand identity or to customize it, i´ll recommend John Attens blog: http://johnatten.com/?s=identity

Joshit
  • 1,238
  • 16
  • 38
  • Documentation from asp.net core is not likely to be helpful if the question is tagged mvc4. –  Jun 09 '17 at 19:25
  • What should be done if the subscription is removed? As long as the claim exists (token is not expired / user didn't logout) the user will have access to the resource. –  Jun 09 '17 at 19:25
  • Thanks @RuardvanElburg for checking my post. I think Pavel will find a resource for implementing claims in asp.net 4 ;) If someone starts a new project, I would always recommend usage of claims-based identity because it´s dynamic and modular. The most annoying problem I´ve had with programming is the growth of requirements. Thats why a modular, flexible approach is kinda best practice... – Joshit Jun 12 '17 at 17:15
  • @RuardvanElburg There will be tons of possibilities to follow your subscription-removal logic. You are right: there will be a need to solve this problem. But that is some problem, which hast not so much to do with claims..? – Joshit Jun 12 '17 at 17:17