How to implement claims-based authentication using Identity 2.0 in Asp.net MVC

4
votes

I'm working on an Asp.net Mvc application that uses identity 2 to authenticate and authorize users but it seems I need more features than Roles-based, so I want to change my method and use claims-based method to create the application.

Update: Consider I want to set access permission for a specific user to access to a specific action.

but the problem is there is nothing to learn, I mean i know what claim is but i don't know how to implement it and create users and things.

I'm wondering why there's nothing to learn how to implement claims-based out there! that's why I asked this question.

I need something like a prepared project or a step-by-step tutorial. is there anything to teach how to handle claims?

1
c#asp.netasp.net-mvcidentityclaims-based-identity
The best thing to do may be to store the custom access information inside the resource database. In other words. you don't need to put it in claims or the identity framework. You've identified the user and the user can be linked to your resource (like add a claim with UserId). No need to send this detailed information across the net.user4864425
Yeah, I think it's a better approach, but I realized that maybe using the claims are the standard way to perform what I said. By the way, I've done something similar to your idea @RuardvanElburgHooman
In common the blogs of Dominick Baier (IdentityServer4) are interesting to read. Contains lots of information and thoughts: leastprivilege.com/2016/12/16/identity-vs-permissionsuser4864425

1 Answers

4
votes

Please take a look at Policies in Asp.Net Core.

In Policiy you can make use of Claims + Roles + whatever you want. All this in built in asp.net.

Here is the official reference:

https://docs.microsoft.com/en-us/aspnet/core/security/authorization/claims https://docs.microsoft.com/en-us/aspnet/core/security/authorization/policies

If you're not using .Net Core you'll need a custom implementation like this authorization filter.

public class ClaimsAuthorizeAttribute : AuthorizeAttribute
{
    private string claimType;
    private string claimValue;
    public ClaimsAuthorizeAttribute(string type, string value)
    {
        this.claimType = type;
        this.claimValue = value;
    }
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        var user = filterContext.HttpContext.User as ClaimsPrincipal;
        if (user != null && user.HasClaim(claimType, claimValue))
        {
            base.OnAuthorization(filterContext);
        }
        else
        {
            base.HandleUnauthorizedRequest(filterContext);
        }
    }
}

Code extracted from MVC5 Claims version of the Authorize attribute