How can I authorize claims for each web api request using Token Based Authentication. I have a controller on which I applied Authorize attribute that will look for token on each request and return response if it's a valid token. But I have a controller called AdminController which I would like to be accessible for user having admin claim. How can I implement this? Any suggestion please?
Add a comment
|
1 Answer
Quick way to do this is to add claim of type "Role" and assign it value of "Admin", this should be done before generating the token for this user in method GrantResourceOwnerCredentials, it will be as the code below:
identity.AddClaim(new Claim(ClaimTypes.Role, "Admin"));
Now in your AdminController you attribute it with
[Authorize(Roles="Admin")]
This is called Roles based authentication but at the end the Roles are considered as claims.
You can check this complete code sample too
1 Comment
Ammar Khan
I am wondering if the location tag inside web.config could also be able to identify the role as well. I am using Elmah for logging errors and to secure I setup a location tag and restrict to only those users who is in Admin role. I found out when I making an API calls, it successfully passes the Authroize attribute that is on the Controller Level but the rule that I set under Location tag <allow roles="Admin"/> not seems to be working. I am still getting "Access Denied" error. Any suggestion on this would be helpful.