Use Custom Attributes with ASP.NET Identity

So recently i got into ASP.NET Identity with all the auth stuff so i can write more robust backend software But now i have a question, the way id like to handle permissions for users is by enabling scopes on them for example account.manage or profile.view for example, now in my backend id like to have have a middleware/attribute like [RequireScope("account.manage")] which uses the Authenticated user to see its scopes so now i have 2 questions 1. is it even a good idea to do it like that, if no what are my alternatives? 2. how can i implement this properly
12 Replies
Angius
Angius4mo ago
Seems like you could just use claims and auth policies Give the user an "account.manage" claim, check that in a policy, name it "account.manage" use with
[Authorize("account.manage")]
[Authorize("account.manage")]
The Fog from Human Resources
But where are those claims stored and can those claims be easily modified in the case of for example me modifying someones scopes? Otherwise yeah that sounds great actually
Angius
Angius4mo ago
They're stored in the database, then stored in the session cookie when user logs in, so checking them does not require a database hit The downside being, you might have to re-log the user when you change their claims
The Fog from Human Resources
Doesn't that mean the user could technically modify their scopes
Angius
Angius4mo ago
No, the session cookie is encrypted
The Fog from Human Resources
I know JWT and stuff is pretty secure but I've seen things :SCimgoinginsane: Honestly I'd rather have it run Read operations on a database then, cause this is a system I will later migrate to where users can own places and manage their own users
Angius
Angius4mo ago
Gonna have to build something more bespoke, then You can use resource-based auth, though So still the authorize attribute and policies
The Fog from Human Resources
Anything that allows me to access my authenticated user works tbh What would that be?
Angius
Angius4mo ago
But the policy can hit the db up and look for the data there
Angius
Angius4mo ago
Resource-based authorization in ASP.NET Core
Learn how to implement resource-based authorization in an ASP.NET Core app when an Authorize attribute won't suffice.
The Fog from Human Resources
That looks like what I need I'll try to implement this for my use case, thanks!
Angius
Angius4mo ago
:Ok:
Want results from more Discord servers?
Add your server