0

Lets say I have a working implementation of authentication and authorization in an ASP.NET Core MVC app, and on an action I have [Authorize(Roles = "Admin")] attribute. I have just logged in and I'm about to call that action.

When that action is called, where does the [Authorize(Roles = "Admin")] attribute look to see if the user has the role of "Admin"? Where is "Admin" stored?

Lukas
  • 1,699
  • 1
  • 16
  • 49
  • The roles are stored in the `AspNetRoles` table, and are mapped to the user on the `AspNetUserRoles` – Nick Feb 18 '20 at 19:53
  • Thank you for your response. Does it use methods from `RoleManager` or `RoleStore` to check if the proper role is mapped onto the user? Also, when you say user, you mean the `ControllerBase.User` property? – Lukas Feb 18 '20 at 20:00
  • Have a look at https://stackoverflow.com/questions/58464970/policy-based-authorization-vs-authorize-with-role-in-net-core – Ryan Feb 19 '20 at 05:29

3 Answers3

1

It could depend on what kind of authentication you are using. I've only been using the JwtBearer authentication scheme.

At that case these informations are usually encoded into the access token (by either your application, or some other identity provider) and your client sends that with your request along with other personal data in the token.

Koppa Péter
  • 264
  • 1
  • 8
0

If you are using the default implementation of ASP.NET Identity, the roles will be stored in the table AspNetRoles and the user role assignments on the AspNetUserRoles table.

The Authorize attribute is executed before the action is executed. Check out the following link for more details on the request pipeline: Filters in ASP.NET Core

Bruno Farias
  • 785
  • 8
  • 22
0

I recently found out the answer to my question. Koppa Péter's answer was the closest here, but it turns out I needed more detail.

The [Authorize(Roles = "Admin")] attribute checks the values of the Role claims inside the encoded access token and compares it to "Admin".

Lukas
  • 1,699
  • 1
  • 16
  • 49