locked
Page Routing based on a custom value RRS feed

  • Question

  • User2054207217 posted

    Hello:

    I need to authorize MVC pages based on a combination of custom values that I obtain from the user logged in, for example:

    A logged in user will see a certain page(s) if they have a code value of "ABCD" that I generate from querying certain values from their extension attributes. If the code value is "WXYZ" then they will see another page.

    Thanks.

    Monday, April 13, 2020 11:33 PM

Answers

All replies

  • User-854763662 posted

    Hi progdever ,

    A logged in user will see a certain page(s) if they have a code value of "ABCD" that I generate from querying certain values from their extension attributes. If the code value is "WXYZ" then they will see another page.

    You could use return Redirect () or return RedirectToAction () to display different pages for different users based on the code value owned by the user.

    Best Regards,

    Sherry

    Tuesday, April 14, 2020 8:04 AM
  • User2054207217 posted

    Hi Sherry,

    Thanks, is there another way like storing this value in a Claims attribute and then use Route attributes? Also, what is the best way to store this code value so that it persists throughout the session (instead of querying/making a call to Azure AD to get this code value)? Where to initialize this value, whether in Startup.cs (MVC Core), so that it is available through all the pages, if needed.

    Paul

    Tuesday, April 14, 2020 3:53 PM
  • User-474980206 posted

    I would add it as a claim to the user token.

    Tuesday, April 14, 2020 4:47 PM
  • User2054207217 posted

    Can you please send me an example code? Thanks.

    Also, is this the best approach to go about this?

    Tuesday, April 14, 2020 5:14 PM
  • User-474980206 posted

    you haven't given enough requirements and use cases to know the best approach.

    see:

      https://docs.microsoft.com/en-us/aspnet/core/security/authentication/social/additional-claims?view=aspnetcore-3.1

    Tuesday, April 14, 2020 5:45 PM
  • User2054207217 posted

    I currently have an MVC Core application, that uses OpenIDConnect to do authorization, and alter Graph API to get additional user attributes. 

    Requirements based on the User Logged in:

    1.  If a user has attribute code of, say, "Code01" then they get displayed a page (CRUD operations)

    2. If a user has attrib. "Code02" they go to an admin section (may be Admin controller and pages)

    What do you suggest based on these? Where to initialize the attribute value so as to persist through the session, and if RedirectToAction() type of approach is the way to do or an authorization attribute-based (Policy/Claims, etc) is better.

    An example or code snippet would be helpful.

    Thanks.

    Tuesday, April 14, 2020 8:09 PM
  • User475983607 posted

    You have to understand that your requirement can be solved with a simple "if" statement. 

    I suspect your application requires a lot more design work.  I'm guessing you want a menu system and security that grants or denies access to execute code.  I recommend reading through the authorization fundamentals to understand the tools that are available ASP.NET Core.

    https://docs.microsoft.com/en-us/aspnet/core/security/authorization/claims?view=aspnetcore-3.1

    Once you learn the basics then you should be able to more forward with the design.

    Tuesday, April 14, 2020 8:37 PM
  • User-474980206 posted

    So is it a 2 page site, one for code 1 and one for code 2? Or is home page different. Are there common sections?

    .

    Wednesday, April 15, 2020 2:13 AM
  • User2054207217 posted

    Bruce, It is right now a 2-page application (will extend out), one page for Code1 for managers, and a page 2 for Code2 for admins.

    I can accomplish with Redirect but wondering if there is a better way.

    Wednesday, April 15, 2020 3:59 PM
  • User475983607 posted

    I can accomplish with Redirect but wondering if there is a better way.

    A redirect works very well.  Why do you think there is a better way than redirecting? 

    Wednesday, April 15, 2020 6:07 PM
  • User-474980206 posted

    Bruce, It is right now a 2-page application (will extend out), one page for Code1 for managers, and a page 2 for Code2 for admins.

    I can accomplish with Redirect but wondering if there is a better way.

    a home page redirect is pretty simple or even the action calling the other:
     

    public Task<ActionResult> index()
    {
        if (isUser)
           return IndexUser()
        else
           return IndexAdmin()
    } 
    
    private Task<ActionResult> IndexUser(){...}
    private Task<ActionResult> IndexAdmin(){...}
    

    but if the action count goes up, a custom route constraint would be the cleanest and simplest. see example:

      https://exceptionnotfound.net/routing-basics-in-asp-net-core-3-0/

    Wednesday, April 15, 2020 8:25 PM
  • User2054207217 posted

    Thanks. I tried doing this. Let's say there is a page AdminView for the IndexAdmin controller that gets called for the ADMIN code. My concern is a user can easily access the AdminView.cshtml directly via typing in the URL, even if the user has a different code than ADMIN.

    Friday, April 17, 2020 9:12 PM
  • User475983607 posted

    Thanks. I tried doing this. Let's say there is a page AdminView for the IndexAdmin controller that gets called for the ADMIN code. My concern is a user can easily access the AdminView.cshtml directly via typing in the URL, even if the user has a different code than ADMIN.

    Clearly, you are not taking the time to read the reference linked provided above; https://docs.microsoft.com/en-us/aspnet/core/security/authorization/claims?view=aspnetcore-3.1.

    Create a policy that requires the user has the Admin claim. 

    public void ConfigureServices(IServiceCollection services)
    {
        services.AddControllersWithViews();
        services.AddRazorPages();
    
        services.AddAuthorization(options =>
        {
            options.AddPolicy("AdminOnly", policy => policy.RequireClaim("ADMIN"));
        });
    
    [Authorize(Policy = "AdminOnly")]
    public IActionResult AdminView()
    {
        return View();
    }

    Or if the "Admin"is a role.

    [Authorize(Roles = "ADMIN")]
    public class IndexAdminController : Controller
    {
    }

    Please read the link and perhaps all the subjects within the Authorization subject. 

    Friday, April 17, 2020 9:35 PM
  • User2054207217 posted

    mgebhard,

    Thanks. I went through the link/docs, but some how I am obviously missing something. I am able to follow your example code where you are adding a policy for ADMIN in the start up. Where I am having a disconnect is how to associate the user logged in whether he has the ADMIN policy or not. To give a little background, I manually create a variable ADMIN based on reading certain attributes of the user logged in. And I denote the same variable as NON-ADMIN if a user has some other attributes.

    So as you see I am creating this variable that has ADMIN/NON-ADMIN after looking at some values of the logged in user.

    Let's say user Jim logs in and I determine him an ADMIN, how does the policy set in or how does the policy be applied?

    Thanks so much.

    Friday, April 17, 2020 10:48 PM
  • User475983607 posted

    Let's say user Jim logs in and I determine him an ADMIN, how does the policy set in or how does the policy be applied?

    Add the ADMIN claim to the user's authentication cookie.  The following doc illustrates how to add the claim and create the cookie.

    https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-3.1

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Saturday, April 18, 2020 10:42 AM
  • User2054207217 posted

    Thanks for this. I ended up doing similar but not using the cookies.

    Thursday, May 21, 2020 10:07 PM