In previous article http://developmentfootprints.blogspot.com/2018/09/aspnet-core-21-identity-using-hardcoded.html is demonstrated basic simplest approach in using hardcoded roles.
Here I'm addressing two further levels of customizing authorization which can include roles also.
You can use this approach for customizing default authentication/authorization or for implementing multiple authorization schemes in your app.
In a nutshell Identity authorization implements collection of authorization policies and each of these can implement number of authentication schemes. As stated in previous article by default you have one authorization policy named:
Identity.Application
You can easily add new policies in your ConfigureServices like this:
services.AddAuthorization(options =>
{
options.AddPolicy(nameof(RoleAuthorization.HasAdminRole), policyBuilder =>
{
policyBuilder.RequireRole(RoleAuthorization.AdminRole);
policyBuilder.AddAuthenticationSchemes(nameof(RoleAuthorization.HasAdminRole));
});
In above example we build new Policy with only one rule and we map it to appropriate auth scheme. This scheme must be registered like this:
services.AddAuthentication()
.AddCookie(nameof(RoleAuthorization.HasAdminRole), options => ConfigureHasAdminRole(options));
It configures identity how to configure authentication for your new Policy using cookie.
Read previous article:
http://developmentfootprints.blogspot.com/2018/09/aspnet-core-21-identity-using-hardcoded.html
; on small intro to policy and auth scheme and a way you can work with provided defaults without need of creating new policies or authentication schemes (cookies). It's not just cookies :)
Make sure to explore policyBuilder members. They provide with elegant approach to define most common rules you may have about Claims, Roles etc.
If you still can't express your rules use fully custom AuthorizeHandler. Add new extension:
public class LoyaltyUserLoggedIn : AuthorizationHandler<LoyaltyUserLoggedIn>, IAuthorizationRequirement
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, LoyaltyUserLoggedIn requirement)
{
if (//check someting ... )
{
context.Succeed(requirement);
}
else
{
context.Fail();
}
return Task.CompletedTask;
}
}
Register your new AuthorizationHandler as new requirement in your new Policy :
options.AddPolicy("LoyaltyLoggedIn", policyBuilder =>
{
policyBuilder.Requirements.Add(new LoyaltyUserLoggedIn(container.GetInstance<ILoyaltySecurityService>()));
policyBuilder.AddAuthenticationSchemes("LoyaltyCookie");
});
Authentication cookie configuration mapping is same as before.
Let's recap. There are policies which consist of number of requirements (claims, roles, custom) and related authentication schemes.
This is just a top of the iceberg of your options to customize Identity. There is also concept of permissions associated with Claims. Still haven't used that.
No comments:
Post a Comment