0

I noticed that I can enable Windows Auth in my ASP.NET Core app by enabling windowsAuthentication parameter in my launchSettings.json file:

  "iisSettings": {
    "windowsAuthentication": true,
    "anonymousAuthentication": false,
    "iisExpress": {
      // ...
    }

Is there an easy way to make the authentication a bit more restrictive and allow only users who belong to a specific group in my domain?

I remember implementing this once manually and now I wonder if a feature like this is supported by .NET automatically.

I use .NET6.

EDIT

Something I have in mind (it's not a valid code, rather loud-thinking):

app.UseRouting();

app.Use(async (context, next) =>
{
    if (userBelongsToGroup(@"MySuperGroup"))
    {
        await next();
    }
    else
    {
        context.Response.StatusCode = 401;
        return;
    }
});

app.UseAuthorization();
LA.27
  • 1,888
  • 19
  • 35
  • 1
    Does this answer your question? [Windows authentication on ASP.NET Core 5 MVC for AD groups](https://stackoverflow.com/questions/66671364/windows-authentication-on-asp-net-core-5-mvc-for-ad-groups) – mason Jun 20 '22 at 16:25
  • Hi @mason and thanks for your comment. I'm searching for something more like this https://stackoverflow.com/questions/53191160/how-to-check-if-user-is-member-of-group. – LA.27 Jun 20 '22 at 16:46
  • Anyway, both your link and mine make me think there's no way to make everything work automagically. – LA.27 Jun 20 '22 at 16:46
  • Btw. I've updated my question to make it clearer about my expectations. – LA.27 Jun 20 '22 at 17:01

2 Answers2

0

Maybe you could try with authorize filter as below;

public class AdminRequired : IAuthorizationFilter
    {
        public void OnAuthorization(AuthorizationFilterContext context)
        {
             var claims = context.HttpContext.User.Claims.ToList();
            if (somelogic)
            {
                UnauthorizedResult result = new UnauthorizedResult();
            }
        }
    }

add [TypeFilter(typeof(AdminRequired))] on the target action

enter image description here

Ruikai Feng
  • 6,823
  • 1
  • 2
  • 11
  • Would be nice, but I don't use MVC. My app just returns a single HTML with a bundled JS logic. – LA.27 Jun 21 '22 at 09:44
  • Unless you meant something else than an MVC action. Then can you please tell a bit more details? :) – LA.27 Jun 21 '22 at 09:45
0

I decided to implement my own IApplicationBuilder extension and return 401 if a user does not belong to a specified group:

public static class CheckAuthorizationMiddleware
{
    [SupportedOSPlatform("windows")]
    public static IApplicationBuilder EnsureADGroup(this IApplicationBuilder app, string groupName)
    {
        return app.Use(async (context, next) =>
        {
            var groups = (context.User.Identity as System.Security.Principal.WindowsIdentity).Groups;
            var names = groups.Select(group => group.Translate(typeof(System.Security.Principal.NTAccount)).ToString());

            if (names.Contains(groupName))
            {
                await next();
            }
            else
            {
                context.Response.StatusCode = 401;
                return;
            }
        });
    }
}

In my case it works just fine, but if there are better ways of implementing this, don't hesitate to post a comment and tell me about it :).

LA.27
  • 1,888
  • 19
  • 35