Authorize Attribute and MVC

Question

User1205965688 posted

Hello folks.  I need some help with the Authorize attribute.  It's not that I don't understand it, but I have an implementation I want to try and wanted to see if anyone has done this before or maybe someone has a better way of doing this. 

I have an Azure web app I'm developing and the requirement internally is to use OAuth2 for authentication.  The [Authorize] attribute works great to fire off the process to redirect, authorize, get the token, and pass it back to the client so they can access the application.  However, I have an extra requirement internally to use role based access in the app for administrative access in the app itself.

My thought is that if I Override one of the methods in the AuthorizeAttribute class to achieve this, then I will lose the OAuth authentication piece.  Right?  But if I apply Authorize and a custom Authorize attribute together on the controller, then I should get what I'm looking for...I think.

Example...
[Authorize]
[CustomAuthorize] //custom authorize attribute overriding AuthorizeCore to check for database role authorization based on logged in user name or ID
public class SomeController : Controller
{
     //controller code...
}

Has anyone ever done this before?  I need to make sure they are an employee of the company first.  If they are, then I need to check the role they have been assigned via the database user table.  So are they an employee and are they an admin of the application?

Hope that makes sense.  Please let me know if I need to include more information for people to provide an insightful and thoughtful response.  Thanks in advance.

Answer 1

User475983607 posted

I don't see why you need a custom attribute.   The [Authorize] attribute has the capability to restrict access to specified roles and claims.  Perhaps you need to add roles/claims to the user's authentication token?

Answer 2

User1205965688 posted

I couldn't agree more and have done that in the past when the app was stored on-premise, however, standing policy for web application development when using Azure is to use a user table and define roles assigned to the user in the app itself.  When we moved to Azure, I wanted to use Microsoft Graph (I think this is it) to get group membership information from Active Directory so I could apply the "Role" to the Authorize attribute, but at this time, they don't want to do that because of "Administrative Overhead" to maintain group changes.  It is what it is.

Answer 3

User475983607 posted

I couldn't agree more and have done that in the past when the app was stored on-premise, however, standing policy for web application development when using Azure is to use a user table and define roles assigned to the user in the app itself.  When we moved to Azure, I wanted to use Microsoft Graph (I think this is it) to get group membership information from Active Directory so I could apply the "Role" to the Authorize attribute, but at this time, they don't want to do that because of "Administrative Overhead" to maintain group changes.  It is what it is.

I do not understand your response.  You are unable to fetch user roles/claims?

Answer 4

User1205965688 posted

I'm unable to fetch user roles and the claims that are provided are limited.  I can see 14 different claims and none of them have a short user name or the old SAM account name as it used to be called in Active Directory.  Unless I'm completely missing something and I'm glad to be educated.

Answer 5

User475983607 posted

I'm unable to fetch user roles and the claims that are provided are limited.  I can see 14 different claims and none of them have a short user name or the old SAM account name as it used to be called in Active Directory.  Unless I'm completely missing something and I'm glad to be educated.

In browser applications, claims are stored in a token and the token is cached in an authentication cookie. All you have to do is get the user's claim(s) and add it to the token.  This is  usually handled by a library added to the project like Identity.

https://forums.asp.net/t/2104135.aspx?ASP+Net+MVC+How+to+add+custom+data+to+claim+during+login+process

Answer 6

User-1780421697 posted

From token you can extract different claims that usually store user related data, to get the role from claims you need to get the claim of type "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"

List of claims are :  http://schemas.microsoft.com/ws/2008/06/identity/claims/role

Answer 7

User1205965688 posted

From token you can extract different claims that usually store user related data, to get the role from claims you need to get the claim of type "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"

List of claims are :  http://schemas.microsoft.com/ws/2008/06/identity/claims/role

I appreciate this information, however, to get the claim I was looking for, you have to tell Azure to send the information explicitly.  The short user ID or SAM Account Name is not sent by default in the token.  And by the company guidelines for application development, roles have to be managed within the application itself by defining them and storing them in the application's database instead of using groups from Azure Active Directory.