-
Notifications
You must be signed in to change notification settings - Fork 8
Authentication and Authorization
Authentication and authorization are configured in Startup.cs during the Configure operation:
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
ConfigureCulture();
app.UseAuthentication();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
// todo(UMV) when it will be configured move to under development
app.UseSwaggerWithKeyCloakAuthentication("Wissance.TestApp", Settings.AuthServer, _scopesValues);
app.UseRouting();
app.UseCors("AnyOrigin");
app.UseAuthorization();
app.UseEndpoints(endpoints => { endpoints.MapControllers(); });
}where UseSwaggerWithKeyCloakAuthentication is a this library extension method. You could use another authorization server anyway by configuring it in the Startup.
After authorization is configured you could use attributes to tell whether there should be authorization or not, i.e.
- Attributes on controller:
[Authorize(Roles = "Administrator")]
public class AdminController : Controller
{
// Actions accessible only by users in the "Administrator" role
}or just [Authorize] without arguments, this case could be easily done with WebApiToolkit but not with one line controller add until this issue is resolved.
But actually, the authorization server MUST check access rights on its side and return 403 if the user does not have access.
[AllowAnonymous] permits access without identifying the user.
- Attributes on method
public class HomeController : Controller
{
[Authorize(Roles = "Editor, Administrator")]
public IActionResult EditContent()
{
// Action accessible by users in "Editor" or "Administrator" roles
return View();
}
}Could be done via override controller methods in derived Controller classes, but this doesn't look like a good idea. And actually, we repeat our thought that access control should be performed on the authorization server side. But for the more fine-grained access control, we could use IHttpContextAccessor, see the issue.