0

I'm using claims-based-identity in ASP.NET Core 2.2

From what I've read, it's possible to make custom claims/policy authorization using the following format (found in this answer)

[Authorize(Policy = "DataDrivenExample")]
public IActionResult GetFooBar()
{
    // Omitted for brevity...
}

However, in my application, I need to check whether the user has access to THIS specific object. For example, something like this:

[Authorize(Policy = "EditFooBar:" + id)]
public IActionResult EditFooBar(string id)
{
    // Omitted for brevity...
}

The handler then something like this...?

public class EditFooBarHandler : AuthorizationHandler<DataDrivenRequirement>
{

protected override void Handle(AuthorizationContext context, 
                               string id)
{
    var hasClaim = context.HttpContext.User.Claims.Any(c => c.Type == "EditFooBar" && c.Value == id);
    ...etc...
}

It's not really feasible to make a separate policy for every possible value of id.

Basically, how can I pass data into a policy requirement checker that is different for every request to that API endpoint?

Alex
  • 439
  • 5
  • 23
  • First, claims are no supposed to be permissions. Claims are usually stuff that rarely changes (name, last name, email, birthday etc.) and your policies would be then more based on cases rather than permissions (i.e. "PlaceOrder", "ManageUsers" etc. rather than "delete user", "read user", "edit user"). To (ab)use claims for ACL see [this answer](https://stackoverflow.com/questions/36445780/how-to-implement-permission-based-access-control-with-asp-net-core/36447358#36447358) – Tseng Mar 05 '19 at 16:54

1 Answers1

3

I believe what you are looking for in this case is Resource-based Authorization.

https://docs.microsoft.com/en-us/aspnet/core/security/authorization/resourcebased?view=aspnetcore-2.2

alans
  • 922
  • 7
  • 16