-
Notifications
You must be signed in to change notification settings - Fork 14
authorization
Authorization takes place at two different levels in the API Reference Architecture. The first authorization checks take place in the REST API implmentation of the Infrastructure.WebApi layer. The second authorization checks take place in the application server implementation in the Infrastructure.Server layer.
The API layer is concerned with obtaining the user's identity, as well as scopes granted to the user, from a verified authorization server. The scopes will be used to determine whether or not the user is authorized to make calls to specific API endpoints.
Configure the JWT bearer authentication middleware inside Startup.cs. First, tell the JWT bearer authentication middleware which JWT claim will contain the user identifier that should be mapped to the HttpContext User Identity.
// Add Authentication Support
var tokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
};Configure the authentication middleware so that it uses the JwtBearer defaults. But configure the JwtBearer middleware with the details from the authorization service that will be supplying the bearer tokens. This will enable to middleware to validate the tokens and peroform the necessary mappings.
string domain = $"https://{Configuration["NoteTaking:UserProfileService:Auth0:Domain"]}/";
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
options.Authority = domain;
options.Audience = Configuration["NoteTaking:UserProfileService:Auth0:ApiIdentifier"];
options.TokenValidationParameters = tokenValidationParameters;
});Wire up the authentication middleware via the app builder.
app.UseAuthentication();HasScopeRequirement.cs is an AuthorizationHandler and we wire it via policy requirements in Program.cs The constructor for HasScopeRequirements is below. But the real work happens in the HandleRequirementAsync method.
public HasScopeRequirement(string scope, string issuer)
{
this.scope = scope;
this.issuer = issuer;
}This is how scopes are made known to the .NET authorization middleware. Once configured here, the policy identifiers can be used to limit access to controller actions via the Authorization attribute.
services.AddAuthorization(options =>
{
options.AddPolicy("https://company.dev/notetaking/pingsecure",
policy => policy
.Requirements
.Add(new HasScopeRequirement("https://company.dev/notetaking/pingsecure", domain)));
options.AddPolicy("https://company.dev/notetaking/default",
policy => policy
.Requirements
.Add(new HasScopeRequirement("https://company.dev/notetaking/default", domain)));
options.AddPolicy("https://company.dev/notetaking/categories:read",
policy => policy
.Requirements
.Add(new HasScopeRequirement("https://company.dev/notetaking/categories:read", domain)));
options.AddPolicy("https://company.dev/notetaking/categories:write",
policy => policy
.Requirements
.Add(new HasScopeRequirement("https://company.dev/notetaking/categories:write", domain)));
});The Application Server layer is concerned with determining whether or not the identified user is authorized to view or manipulate the data that is being requested. The user's permissions will be queried from an application-specific source and those permissions will be used to determine whether or not the current request will be granted or denied.