Authorization by a Claim of a Role on Web API using JWT Token- Asp.net Core Identity

6
votes

I have been learning Asp.Net Identity on the past few days, I am familiar with authorizing the controller with [Authorize(Roles = "Admin")] or [Authorize(Policy = "OnlyAdminAndModerators")] for example.

I am using JWT token, when authorizing via "[Authorize(Roles = "Admin")]" all I have to do is set a role type on my token, like this:

{  
  "nameid": "a173e923-1808-4d7d-2b64-08d684882677",  
  "unique_name": "yuri",  
  "role": [  
    "Admin",  
    "Moderator"  
  ],  
  "nbf": 1549522727,  
  "exp": 1549609127,  
  "iat": 1549522727  
}

With this, my controller is able to authenticate via the "role" name on the json and the value of "Admin".

What I have heard is that it is possible to create a role on the Identity AspNetRole Table, associate a claim to the role via the AspNetRoleClaims table, so for example Admin would have "CanAdd" claim, then on the Startup class, I could create a Policy saying something like options.AddPolicy("Add Role", policy => policy.RequireClaim("CanAdd", "AddClaim"));

And then finally I could go on my controller, set a method with [Authorize(Policy = "Add Role")] and the controller would authorize any user with the Role of Admin because he would have the CanAdd claim.

Sorry I know it's a big question but I really want to make this work.
Thanks in advance.

1
c#asp.net-corejwtasp.net-identity
Does this cover your question? benfoster.io/blog/asp-net-identity-role-claimsSchwarzie2478
Hey thanks for the link, it gave me some ideas but it does not give me exactly what i want. The problem in my case is that since i am checking for permissions in a JWT token, the token needs to have the claims on it. What i want is for the token to have only the roles on it, and then on the [Authorize] attribute on the controller, the permission would be by the role claim. But since the token only has the role before the validation on the controller, the system would need to go to the database somehow and check if there is the needed claim associated with that role.yuribsl
For what i have searched i found someone doing it on Asp.Core MVC but i did not find a way to do it with an API and a token.yuribsl

1 Answers

2
votes

One way to get additional claims retrieved based on the contents of your token can be done in an message handler that runs after the reading of the token and before the authorization step. For .NET Full framework I used OWin to do this. This block injects additional claims into the claimsPrinciple that can be used then in the policies you define.

This is my startup file:

ConfigureAuthorization -> my extension method to wrap tge BearerTokenAuthentication owin block IncludeAzureActiveDirectoryUserClaims -> get claims from Azure APi and add them...

using Owin;

[assembly: OwinStartup(typeof(Token.API.Startup))]

namespace Token.API
{
    public partial class Startup
    {
        public void Configuration(IAppBuilder app)
        {
            app.ConfigureAuthorization(ClaimsProviders
                    .InitializeAuthorizationProviders()
                    .IncludeAzureActiveDirectoryUserClaims()
            );
        }
    }
}

If I would do it for .NET Core , it would look something like this: Bearer Authentication: link

In startup.cs:

        public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
    {
        app.UseAuthentication();
        app.Use(async (context, next) =>
        {
            //Retrieve claims from database based on roles in token.
            // Add to loaded identity    (= context.User)           

            await next.Invoke();
        });