locked
Role based authorization in ASP.NET OWIN? RRS feed

  • Question

  • User-1883651362 posted

    How to get a role based authorization in ASP.NET OWIN with JWT?

    this is middleware when JWT is authenticated:

     app.UseJwtBearerAuthentication(
                    new JwtBearerAuthenticationOptions
                    {
    
                        AuthenticationMode = AuthenticationMode.Active,
    
                        TokenValidationParameters = new TokenValidationParameters()
                        {
    
                            ValidAudience = apiAudience,
                            ValidIssuer = domain,
                            IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) => keyResolver.GetSigningKey(identifier)
                        }
                    });
    Tuesday, November 7, 2017 8:05 PM

Answers

  • User1168443798 posted

    Hi trenzin,

    >> So the question is how to consume logged user in API to get ther roles?

    What do you mean by this? In general, we store user and role in token, and you have said the roles are already attached in token. Then, you just need to check whether the user has the role to access the api.

    Do you mean you do not know how to access role in API? In general, role in token will be converted to Claims and store in User.Identity, you could try below link to access user claims to check user role.

    var identity = (ClaimsIdentity)User.Identity;
        IEnumerable<Claim> claims = identity.Claims;

    Best Regards,

    Edward

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, November 8, 2017 6:28 AM

All replies

  • User1168443798 posted

    Hi trenzin,

    >> How to get a role based authorization in ASP.NET OWIN with JWT?

    Do you mean you want to enable role authorization under JWT, and valid role by OWIN?

    If so, you need to add role claims while generating JWT token like below:

    private async Task<JwtSecurityToken> GetJwtSecurityToken(UserEntity user)
    {
        var userClaims =  await _userManager.GetClaimsAsync(user);
     
        return new JwtSecurityToken(
            issuer: _appConfiguration.Value.SiteUrl,
            audience: _appConfiguration.Value.SiteUrl,
            claims: userClaims,
            expires: DateTime.UtcNow.AddMinutes(10),
            signingCredentials: new SigningCredentials(new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_appConfiguration.Value.Key)), SecurityAlgorithms.HmacSha256)
        );
    }

    And then, you could valid the claims from the token in OWIN Middleware.

    You could refer below link for more information.

    # JWT Authentication for Asp.Net Web Api

    https://stackoverflow.com/questions/40281050/jwt-authentication-for-asp-net-web-api

    Best Regards,

    Edward

    Wednesday, November 8, 2017 2:52 AM
  • User-1883651362 posted

    Yes I want to enable role authorization. But I need to claim that roles in API only. I am using Auth0 to generate tokens and the roles are already attached in JWT and the actual user is not stored in any local db just in Auth0 db. So the question is how to consume logged users in API to get their roles?

    Wednesday, November 8, 2017 4:53 AM
  • User1168443798 posted

    Hi trenzin,

    >> So the question is how to consume logged user in API to get ther roles?

    What do you mean by this? In general, we store user and role in token, and you have said the roles are already attached in token. Then, you just need to check whether the user has the role to access the api.

    Do you mean you do not know how to access role in API? In general, role in token will be converted to Claims and store in User.Identity, you could try below link to access user claims to check user role.

    var identity = (ClaimsIdentity)User.Identity;
        IEnumerable<Claim> claims = identity.Claims;

    Best Regards,

    Edward

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, November 8, 2017 6:28 AM
  • User-1883651362 posted

    Thanks for the answer. Eventually it works but do I have to check it in every controller or is any other way to do it as I'm authenticated?

    EDIT: I probably solved that by claiming roles in Base api controller which from my other controllers inherit.

    Friday, November 24, 2017 11:56 AM
  • User1168443798 posted

    Hi trenzin,<o:p></o:p>

    >> do I have to check it in every controller or is any other way to do it as I'm authenticated?<o:p></o:p>

    As you have found, you could solve this by claiming roles in Base API controller.<o:p></o:p>

    Best Regards,<o:p></o:p>

    Edward<o:p></o:p>

    Monday, November 27, 2017 5:27 AM