Use Custom Attributes with ASP.NET Identity
So recently i got into ASP.NET Identity with all the auth stuff so i can write more robust backend software
But now i have a question, the way id like to handle permissions for users is by enabling scopes on them for example
account.manage or profile.view for example, now in my backend id like to have have a middleware/attribute like [RequireScope("account.manage")] which uses the Authenticated user to see its scopes
so now i have 2 questions
1. is it even a good idea to do it like that, if no what are my alternatives?
2. how can i implement this properly12 Replies
Seems like you could just use claims and auth policies
Give the user an
"account.manage" claim, check that in a policy, name it "account.manage" use with
But where are those claims stored and can those claims be easily modified in the case of for example me modifying someones scopes?
Otherwise yeah that sounds great actually
They're stored in the database, then stored in the session cookie when user logs in, so checking them does not require a database hit
The downside being, you might have to re-log the user when you change their claims
Doesn't that mean the user could technically modify their scopes
No, the session cookie is encrypted
I know JWT and stuff is pretty secure but I've seen things :SCimgoinginsane:
Honestly I'd rather have it run Read operations on a database then, cause this is a system I will later migrate to where users can own places and manage their own users
Gonna have to build something more bespoke, then
You can use resource-based auth, though
So still the authorize attribute and policies
Anything that allows me to access my authenticated user works tbh
What would that be?
But the policy can hit the db up and look for the data there
Resource-based authorization in ASP.NET Core
Learn how to implement resource-based authorization in an ASP.NET Core app when an Authorize attribute won't suffice.
That looks like what I need
I'll try to implement this for my use case, thanks!
:Ok: