0

I get some idea about the policy based authorization in .NET 6.0 based on Microsoft article. https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-6.0

The article mentioned about to hard code the policy in the authorization attribute. I have REST API' and I want to assign permissions to them in some configuration for example in file and how can I can define the policy in the configuration what ingredients it should include so that I can load the policy from the file and then apply on startup to the authorization attribute. How to apply it to authorization attribute I see the following link Bind AuthorizationPolicy to Controller/Action without using AuthorizeAttribute

I am here only interested how I can define the polices in the configuration file(appsettings.json) what template or fields it should have. I know It will move it to database later but I need it for the proof of concepts. I am not sure do we really need to define the policy or we can define the permissions per API and then create policy automatically based on the API permission? Any help in this context will be appreciated.

Regards, IK

user2724058
  • 318
  • 5
  • 20

1 Answers1

2

I tried as below :

            var policylist = new List<AuthOption>();
            Configuration.GetSection("PolicyList").Bind(policylist);            
            services.AddAuthorization(options => {
                policylist.ForEach(x =>
                {
                    options.AddPolicy(x.PolicyName, policy =>
                     {                         
                         x.Requirement.ForEach(y =>
                         {                             
                             Type type = Type.GetType(System.Reflection.MethodBase.GetCurrentMethod().DeclaringType.Namespace+"."+y.RequirementName);
                             if (y.Inputs!=null)
                             {
                                 var requirement = (IAuthorizationRequirement)Activator.CreateInstance(type,y.Inputs);
                                 policy.AddRequirements(requirement);
                             }
                             else
                             {
                                 var requirement = (IAuthorizationRequirement)Activator.CreateInstance(type);
                                 policy.AddRequirements(requirement);
                             }                       
                             
                         }); 
                     });
                });
            });

added some class:

public class AuthOption
    {
        public AuthOption()
        {
            Requirement = new List<Requirement>();
        }
        public string PolicyName { get; set; }
       
        public List<Requirement> Requirement { get; set; }
    }
    public class Requirement
    {
        public string RequirementName { get; set; }
        public string Inputs { get; set; }
        
    }
    public class MinimumAgeRequirement : IAuthorizationRequirement
    {
        public MinimumAgeRequirement(string minimumAge) =>
            MinimumAge = minimumAge;

        public string MinimumAge { get; }
    }
    public class AnotherRequirement : IAuthorizationRequirement
    {
        
    }

in appsettings.json:

"PolicyList": [
    {
      "PolicyName": "policy1",
      "Requirement": [
        {
          "RequirementName": "MinimumAgeRequirement",
          "Inputs": "21"
        },
        {
          "RequirementName": "AnotherRequirement"
          
        }
      ]
    },

    {
      "PolicyName": "policy2",
      "Requirement": [
        {
          "RequirementName": "AnotherRequirement"
        }        
      ]
    }

  ]

Result:

enter image description here

Ruikai Feng
  • 6,823
  • 1
  • 2
  • 11
  • Thanks for the reply. I can add the some other attributes in the policy like operator between requirements, API end point etc where the policy will be applied etc. this will help me to apply the policy dynamically to the methods of the controllers. Is it possible I can remove the policy dynamically or update it? – user2724058 Aug 11 '22 at 09:53
  • Any Idea how we can add conditions between polices like 'AND', 'OR' etc? – user2724058 Aug 30 '22 at 07:19
  • what‘s the detailed requirement? why you want add conditions OR between polices? – Ruikai Feng Aug 30 '22 at 07:39
  • I want to build a generic solution where API can be accessible using permissions/scopes, roles and claims. For example an API can be accessible by the permission as well if there is any role defined in the policy. Be default requirements are AND. There can be multiple roles that can be OR as well. Multiple combination are possible permissions or with roles etc – user2724058 Aug 30 '22 at 11:43