0

I'm using claims-based-identity in ASP.NET Core 2.2

From what I've read, it's possible to make custom claims/policy authorization using the following format (found in this answer)

[Authorize(Policy = "DataDrivenExample")]
public IActionResult GetFooBar()
{
    // Omitted for brevity...
}

However, in my application, I need to check whether the user has access to THIS specific object. For example, something like this:

[Authorize(Policy = "EditFooBar:" + id)]
public IActionResult EditFooBar(string id)
{
    // Omitted for brevity...
}

The handler then something like this...?

public class EditFooBarHandler : AuthorizationHandler<DataDrivenRequirement>
{

protected override void Handle(AuthorizationContext context, 
                               string id)
{
    var hasClaim = context.HttpContext.User.Claims.Any(c => c.Type == "EditFooBar" && c.Value == id);
    ...etc...
}

It's not really feasible to make a separate policy for every possible value of id.

Basically, how can I pass data into a policy requirement checker that is different for every request to that API endpoint?

Improve this question
1
  • First, claims are no supposed to be permissions. Claims are usually stuff that rarely changes (name, last name, email, birthday etc.) and your policies would be then more based on cases rather than permissions (i.e. "PlaceOrder", "ManageUsers" etc. rather than "delete user", "read user", "edit user"). To (ab)use claims for ACL see this answer Commented Mar 5, 2019 at 16:54

1 Answer 1

Reset to default
3

I believe what you are looking for in this case is Resource-based Authorization.

https://learn.microsoft.com/en-us/aspnet/core/security/authorization/resourcebased?view=aspnetcore-2.2

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.