C#•16mo ago

Use Custom Attributes with ASP.NET Identity

So recently i got into ASP.NET Identity with all the auth stuff so i can write more robust backend software
But now i have a question, the way id like to handle permissions for users is by enabling scopes on them for example

account.manage

account.manage

profile.view

profile.view

for example, now in my backend id like to have have a middleware/attribute like

[RequireScope("account.manage")]

[RequireScope("account.manage")]

which uses the Authenticated user to see its scopes
so now i have 2 questions

is it even a good idea to do it like that, if no what are my alternatives?
how can i implement this properly

Angius•9/19/24, 11:28 PM

Seems like you could just use claims and auth policies

Angius•9/19/24, 11:29 PM

Give the user an claim, check that in a policy, name it use with

AAngius Give the user an `"account.manage"` claim, check that in a policy, name it `"acc...

The Fog from Human ResourcesOP•9/19/24, 11:31 PM

But where are those claims stored and can those claims be easily modified in the case of for example me modifying someones scopes?
Otherwise yeah that sounds great actually

Angius•9/19/24, 11:33 PM

They're stored in the database, then stored in the session cookie when user logs in, so checking them does not require a database hit

Angius•9/19/24, 11:33 PM

The downside being, you might have to re-log the user when you change their claims

The Fog from Human ResourcesOP•9/19/24, 11:34 PM

Doesn't that mean the user could technically modify their scopes

Angius•9/19/24, 11:35 PM

No, the session cookie is encrypted

The Fog from Human ResourcesOP•9/19/24, 11:35 PM

I know JWT and stuff is pretty secure but I've seen things :SCimgoinginsane:

AAngius The downside being, you might have to re-log the user when you change their clai...

The Fog from Human ResourcesOP•9/19/24, 11:36 PM

Honestly I'd rather have it run Read operations on a database then, cause this is a system I will later migrate to where users can own places and manage their own users

Angius•9/19/24, 11:37 PM

Gonna have to build something more bespoke, then

Angius•9/19/24, 11:37 PM

You can use resource-based auth, though

Angius•9/19/24, 11:37 PM

So still the authorize attribute and policies

AAngius Gonna have to build something more bespoke, then

The Fog from Human ResourcesOP•9/19/24, 11:37 PM

Anything that allows me to access my authenticated user works tbh

AAngius You can use resource-based auth, though

The Fog from Human ResourcesOP•9/19/24, 11:37 PM

What would that be?