I have been learning Asp.Net Identity on the past few days, I am familiar with authorizing the controller with [Authorize(Roles = "Admin")]
or [Authorize(Policy = "OnlyAdminAndModerators")]
for example.
I am using JWT token, when authorizing via "[Authorize(Roles = "Admin")]" all I have to do is set a role type on my token, like this:
{
"nameid": "a173e923-1808-4d7d-2b64-08d684882677",
"unique_name": "yuri",
"role": [
"Admin",
"Moderator"
],
"nbf": 1549522727,
"exp": 1549609127,
"iat": 1549522727
}
With this, my controller is able to authenticate via the "role" name on the json
and the value of "Admin".
What I have heard is that it is possible to create a role on the Identity AspNetRole Table, associate a claim to the role via the AspNetRoleClaims table, so for example Admin would have "CanAdd" claim, then on the Startup class, I could create a Policy saying something like options.AddPolicy("Add Role", policy => policy.RequireClaim("CanAdd", "AddClaim"));
And then finally I could go on my controller, set a method with [Authorize(Policy = "Add Role")]
and the controller would authorize any user with the Role of Admin because he would have the CanAdd claim.
Sorry I know it's a big question but I really want to make this work.
Thanks in advance.
To authenticate a user, a client application must send a JSON Web Token (JWT) in the authorization header of the HTTP request to your backend API. API Gateway validates the token on behalf of your API, so you don't have to add any code in your API to process the authentication.
Both API key and JWT are used for authentication and authorization, but they do it differently. Authentication allows the user or application to use one or more methods of the API. Authorization defines how they can use those methods.
One way to get additional claims retrieved based on the contents of your token can be done in an message handler that runs after the reading of the token and before the authorization step. For .NET Full framework I used OWin to do this. This block injects additional claims into the claimsPrinciple that can be used then in the policies you define.
This is my startup file:
ConfigureAuthorization -> my extension method to wrap tge BearerTokenAuthentication owin block IncludeAzureActiveDirectoryUserClaims -> get claims from Azure APi and add them...
using Owin;
[assembly: OwinStartup(typeof(Token.API.Startup))]
namespace Token.API
{
public partial class Startup
{
public void Configuration(IAppBuilder app)
{
app.ConfigureAuthorization(ClaimsProviders
.InitializeAuthorizationProviders()
.IncludeAzureActiveDirectoryUserClaims()
);
}
}
}
If I would do it for .NET Core , it would look something like this: Bearer Authentication: link
In startup.cs:
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
app.UseAuthentication();
app.Use(async (context, next) =>
{
//Retrieve claims from database based on roles in token.
// Add to loaded identity (= context.User)
await next.Invoke();
});
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With