Cutting EdgE DINO ESPOSITO Policy-Based Authorization in ASP.NET Core
The authorization layer of a software application ensures that the current user is allowed to access a given resource, perform a given operation or perform a given operation on a given resource. In ASP.NET Core there are two ways to set up an authorization layer. You can use roles or you can use policies. The former approach— role-based authorization—has been maintained from previous ver- sions of the ASP.NET platform, while policy-based authorization is new to ASP.NET Core.
The Authorize Attribute
Roles have been used in ASP.NET applications since the early days. Technically speaking, a role is a plain string. Its value, how- ever, is treated as meta information by the security layer (checked for presence in the IPrincipal object) and used by applications to map a set of permissions to a given authenticated user. In ASP.NET theloggeduserisidentifiedbyanIPrincipalobject,andinASP.NET Core the actual class is ClaimsPrincipal. This class exposes a col- lection of identities and each identity is represented by IIdentity objects, specifically ClaimsIdentity objects. This means that any logged user comes with a list of claims, which are essentially state- ments about her status. Username and role are two common claims of users of ASP.NET Core applications. However, role presence depends on the backing identity store. For example, if you use social authentication, you’re never going to see roles.
Note that in ASP.NET 2.0, authentication middleware is replaced with a service that has multiple handlers.
Authorization goes one step further than authentication. Authentication is about discovering the identity of a user, whereas authorization is about defining requirements for users to call into application endpoints. User roles are typically stored in the data- base and retrieved when the user credentials are validated, at which point role information is attached in some way to the user account. The IIdentity interface features an IsInRole method that must be implemented. The ClaimsIdentity class does that by checking that the Role claim is available in the collection of claims resulting from
the authentication process. In any case, when the user attempts to call into a secured controller method, her role should be available for check. If not, the user is denied the call to any secured methods.
The Authorize attribute is the declarative way to secure a con- troller or some of its methods:
[Authorize]
public class CustomerController : Controller {
...
Specified without arguments, the attribute only checks that the user is authenticated. However, the attribute supports additional attributes such as Roles. The Roles property indicates that users in any of the listed roles would be granted access. To require mul- tiple roles, you can apply the Authorize attribute multiple times, or write your own filter.
[Authorize(Roles="admin, system"]
public class BackofficeController : Controller {
... }
Optionally, the Authorize attribute can also accept one or more authen- tication schemes through the ActiveAuthenticationSchemes property.
[Authorize(Roles="admin, system", ActiveAuthenticationSchemes="Cookie"] public class BackofficeController : Controller
{
...
The ActiveAuthenticationSchemes property is a comma- separated string listing the authentication middleware components that the authorization layer will trust in the current context. In other words, it states that access to the BackofficeController class is allowed only if the user is authenticated through the Cookies scheme and has any of the listed roles. As mentioned, string values passed to the ActiveAuthenticationSchemes property must match authen- tication middleware registered at the startup of the application.
NotethatinASP.NET2.0,authenticationmiddlewareisreplaced with a service that has multiple handlers. As a result, an authentica- tion scheme is a label that selects a handler. For more information aboutauthenticationinASP.NETCore,youmightwanttocheck my September 2017 column, “Cookies, Claims and Authentication in ASP.NET Core” (msdn.com/magazine/mt842501).
Authorization Filters
The information provided by the Authorize attribute is consumed by the system-provided authorization filter. Because it’s respon- sible for checking if the user is able to perform the requested
58 msdn magazine
}
}