locked
Several questions regarding ASP.NET Authorization when using Windows auth and ASP.NET Core 2.2 RRS feed

  • Question

  • User853731431 posted

    I am in a similar spot to that described in the thread here, except that I have an additional layer of a web api back-end which also uses windows authentication.
    https://forums.asp.net/t/2081769.aspx?How+to+add+custom+Claims+to+Windows+Authenication+Application+

    Building a new intranet application that will have an API backend, both using ASP.NET core 2.2 and both using windows authentication. 
    Users should not have to log in.  Also, the only thing Windows auth will do is authenticate.  No other information such as roles or what group a user is in will be used that comes from AD.   However, given that the app will be aware of their identity, we then need to handle what rights the user has within the application.
    So regarding authorization, different areas of each screen of the client app will need to segment the users rights as to something like this:
    - Blocked everything
    - Read-only
    - Add new items to a list
    - Cancel an order
    - Approve an order

    Other areas of the app will need similar granular permissions.  Most of the features the app provides will rely on data coming from, or being posted to the API, so the API methods also need to check what the user is authorized to do.

    Questions:
    - I'm assuming that I will need to load the claims on each request based on the users identity (see link below)
    - What then for the API backend, as it too will need to verify that the user can make the incoming request. Should this process of fetching the user and loading its claims happen a 2nd time?

    See this example
    https://weblogs.asp.net/imranbaloch/claims-transformation-and-authorization-policy-in-aspnet5-mvc6

    Wednesday, January 2, 2019 8:29 PM

All replies

  • User475983607 posted

    Generally, the authentication process results in a token.  The token contains the user's identity, roles, and claims.   A middleware (HTTP Pipeline) reads the token and uses the token to populate the user's principal.

    In browser based application the token is persisted/cached in a cookie.  In code based applications the client sends a bearer token (HTTP header) and is responsible for persisting/managing the token.  See OAuth/OpenId Connect APIs for the .NET framework being targeted.

    Wednesday, January 2, 2019 9:51 PM
  • User283571144 posted

    Hi BitShift,

    Questions:
    - I'm assuming that I will need to load the claims on each request based on the users identity (see link below)
    - What then for the API backend, as it too will need to verify that the user can make the incoming request. Should this process of fetching the user and loading its claims happen a 2nd time?

    According to the link you have posted in your thread, it use asp.net core identity authorization.If you want to achieve this in your asp.net core web api project, you should aslo enable the identity in your application.

    You could write the codes to get the username and password when page loading.

    Then you could call the UserManager.PasswordSignInAsync method to log according to the username. Notice: since the identity aslo need a user password, you could store them into database and search them according to username or direclty using same password.

    At last you could use the whole asp.net identity's role manager and user manager to manage your web application.

    Best Regards,

    Brando

    Thursday, January 3, 2019 3:12 AM