I'm using Amazon Cognito for authentication and authorization. I can restrict an endpoint by adding the AuthorizeAttribute [Authorize(Policy = "SomeGroup")] but how do I add some business logic to check if an user is in a specific role inside an endpoint method and basically return a message depending on that?
public static Task<IResult> Test()
{
if (user is an administrator)
{
return Task.FromResult(Results.BadRequest("admin"));
}
return Task.FromResult(Results.Ok("not admin"));
}
Code
builder.Services.AddSingleton<IAuthorizationHandler, CognitoGroupAuthorizationHandler>();
builder.Services.AddCognitoIdentity();
builder.Services
.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.Authority = builder.Configuration["AWSCognito:Authority"];
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
ValidateAudience = false
};
});
builder.Services.AddAuthorization(options =>
{
options.DefaultPolicy = new AuthorizationPolicyBuilder(JwtBearerDefaults.AuthenticationScheme).RequireAuthenticatedUser().Build();
options.AddPolicy("SomeGroup", policy => policy.Requirements.Add(new CognitoGroupAuthorizationRequirement("Example")));
});
public class CognitoGroupAuthorizationHandler : AuthorizationHandler<CognitoGroupAuthorizationRequirement>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, CognitoGroupAuthorizationRequirement requirement)
{
if (context.User.HasClaim(c => c.Type == "cognito:groups" && c.Value == requirement.CognitoGroup))
{
context.Succeed(requirement);
}
else
{
context.Fail();
}
return Task.CompletedTask;
}
}
public class CognitoGroupAuthorizationRequirement : IAuthorizationRequirement
{
public CognitoGroupAuthorizationRequirement(string cognitoGroup)
{
CognitoGroup = cognitoGroup;
}
public string CognitoGroup { get; }
}
