I am trying to figure out what is the best way to create custom authorization attribute for my asp.net core application. I have seen this post and I am aware of the 2 approaches discussed here. How do you create a custom AuthorizeAttribute in ASP.NET Core?
1) Using IAuthorizationFilter
2) Using Policies
I saw that the official document suggests that we should be using policies and not IAuthorizationFilter but I felt that using policies for my scenario is an overkill. I personally liked IAuthorizationFilter approach more.
I have a very basic requirement. I want to create an authorize attribute for my web api and need to throw 403 if the current user is not whitelisted to use this API. I really don't care about the scopes(canRead, canWrite, can readWrite etc). If I go ahead with policy approach, I may be using the same policy for all my APIs. What is the best way to achieve this?
Using policies for something like this isn't overkill. You need a requirement:
public class WhitelistRequirement: IAuthorizationRequirement
{
}
A handler:
public class WhitelistHandler : AuthorizationHandler<WhitelistRequirement>
{
// Implement a constructor to inject dependencies, such as your whitelist
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
WhitelistRequirement requirement)
{
if (isInWhitelist) // Your implementation here
{
context.Succeed(requirement);
}
return Task.CompletedTask;
}
}
Register both in ConfigureServices
:
services.AddAuthorization(options =>
options.AddPolicy("WhitelistPolicy",
b => b.AddRequirements(new WhitelistRequirement())));
services.AddSingleton<IAuthorizationHandler, WhitelistHandler>();
Then use your policy:
[Authorize(Policy = "WhitelistPolicy")]
You can apply the policy globally with a global filter:
services.AddMvc(config =>
{
var policy = new AuthorizationPolicyBuilder()
.AddRequirements(new WhitelistRequirement())
.Build();
config.Filters.Add(new AuthorizeFilter(policy));
})
The resulting behavior for unauthenticated or forbidden users depends on the implementation of the "challenge" and "forbid" behaviors in your app's authentication handler.
See here.
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments