0

I need to add authorization to my asp.net core api and is wondering which one to choose.

Basically my needs are: the caller provides a key and a password (in the header) which I need to authorize against a table in an external database.

I then use the id to check if the caller has rights to the specific client. All objects in the database belongs to a client.

I've read about Simple authorization and it looks to provide all I need. Except I want to be able to add an overall authentication to all calls and not have to add the variables Key and Password to every function. Is this possible?

Any tips will be highly appreciated!

SteinTheRuler
  • 3,549
  • 4
  • 35
  • 71

1 Answers1

1

What you want is called Basic Authentication and you can use idunno.Authentication for that purpose.

The demo here can help you in using that.

For global authentication you can simply use the code below

services.AddMvc(config =>
{
    var policy = new AuthorizationPolicyBuilder()
    .RequireAuthenticatedUser()
    .Build();

    config.Filters.Add(new AuthorizeFilter(policy));
});

Edit:
For security reasons consider the notes in GitHub.

Ashkan Nourzadeh
  • 1,922
  • 16
  • 32
  • 1
    Please be careful when linking this, its **not meant for production use** as blowdart (the ASP.NET Core security him) himself suggests on [GitHub](https://github.com/blowdart/idunno.Authentication) (also see [his answer here](https://stackoverflow.com/a/35300866/455493)). Its only for testing and demo purposes. Basic auth was not included in ASP.NET Core for a **good reason**. Its acts as a demonstration on how to implement an security middleware. Just suggesting w/o any warning would make people believe and use it and have security issues on their websites – Tseng Jan 30 '18 at 07:06
  • @Tseng the link to GitHub is pointing to StackOverflow – Ashkan Nourzadeh Jan 30 '18 at 07:10
  • Sorry, fixed it. In hurry to get the bus to work. https://github.com/blowdart/idunno.Authentication – Tseng Jan 30 '18 at 07:11
  • @Tseng, Good points. Edited the answer, added the GitHub link. (but I think ignoring basic auth because you should consider some security actions like https, rate limiting, locking out on invalid attempts and etc is not a good choice) – Ashkan Nourzadeh Jan 30 '18 at 07:20