.png "Introduction to Authorization in ASP.NET Core") |
| Introduction to Authorization in ASP.NET Core |
In the last few blogs we've discussed about Authentication in detail. We already learnt what is Authentication and How to implement in our Web API. In this blog, we'll know what Authorization is and it's different types.
Introduction
We already know Authentication verifies an user or system's identity, but Authorization determines what the user or system is allowed to do. For e.g. In banking app, you can only access your account information etc. but a bank employee has access to view, update other customers info. In this scenario we can say that an account holder can view only their account info and update own information. But a bank employee has access to multiple account holders. Both account holder and bank employee are working on the same app with different access, which is handled by Authorization.
In simple terms we can say that Authentication determines who we are and Authorization determines what we're allowed to do.
In terms of Web API, when a user is not authenticated, it returns 401 - Unauthorized. But, if a user is authenticated but don't have authority of to do certain task, it will return 403 - Forbidden. Two different status codes with different meaning.
We understand what authorization is, but how we'll apply authorization in ASP.NET Core Web API. But before that we must know what are the different types of authorization. Here are the followings:
Types of Authorization
- Simple Authorization : This is the basic form of authorization. In ASP.NET Core Web API, this is handled by [Authorize] attribute, placed in the controller or its action method. In simple authorization, it only verifies the user is authenticated or not. If the user is authenticated, it will allow to do the operation present in the method. If the user is not authentcated, it will return 401- Unauthorized.
By default, if there is no [Authorize] present, it doesn't require a user to be authenticated. It will allow anonymous user to access APIs. But, with the attribute it will not.
[AllowAnonymous] attribute is used when we want to allow user to access some of the endpoints without authenticated.
Here is an example of the above[Authorize] public class AccountController : Controller { [AllowAnonymous] public ActionResult Login() { } public ActionResult Logout() { } }
- Role Based Authorization: In Role based Authorization or Role based Access control (RBAC) uses role to allow access to endpoints. If an endpoint is configured to allow only certain role, users or system has the role can able to access. In ASP.NET Core Web API, we can set an endpoint to certain roles with [Authorize(Roles = "Admin")]. We can pass multiple roles with comma separated like [Authorize(Roles= "Admin, Manager")].
There are multiple ways to add and assign and fetch roles to users or systems. It depends on the backend.
But, in ASP.NET Core mostly role is added to the token or UserClaims depending on the use case.
Here is an example how it is configured in Controller.
[Authorize] public class AdminController : Controller { public ActionResult Approve() { } }
- Policy Based Authorization: A policy contains one more rules in it. Supoose we want to access an enpoint/resource based on mutiple rules, policy based authorization comes into play. We define policy based on the condition and apply it wherever required instead of harding it multiple places. We can resuse the logic in multiple places. Here we've the centralized control of a rule.
In ASP.NET Core we register the policy in progrm.cs file and use it wherever required.
Here is an example:
builder.Services.AddAuthorization(options => { options.AddPolicy("AccountAccess", policy => { policy.RequireRole("Manager"); policy.RequireRole("User"); }); });[Authorize(Policy = "AccountAccess")] public class AccountController : Controller { public ActionResult GetBalance() { } }
- Claim Based Authorization: A claim is a key value pair which represents about the user. We can add any no of claims to a user. Here are few examples of claims i.e. Name, Email, DoB, Department. So we can Authorize user based on the claim as well. Here is an example.
builder.Services.AddAuthorization(options => { options.AddPolicy("ITResourceMember", policy => policy.RequireClaim("Deparment", "IT") ); });[Authorize(Policy = "ITResourceMember")] public class AssetController : Controller { public ActionResult Get() { } } - Custom Authorization : This allow us to define complex access rules when only role or claim check is not enough. ASP.NET provides IAuthorizationRequirement and IAuthorizationHandler which will take the requirement and handle the business logic for access. E.g.: When an endpoint can be access by a people of certain age. We can provide the Minimum and maximm age to requirement and the handler will take the data from requirement and grant access.
- Resource Based Authorization: This will control access based on the resources user is trying to access. Sometimes we need to control the data whether user has access or not, that can only determine after the data is pulled from db or other storage. Resource based authorization helps on this. In all the above types we pass the Authorize attribute to control the user has access or not. But here we check after the data is retrived from the store and then authorization check is done. We can do this using IAuthorizationService. It provides us the methods to apply acess control. E.g: When a user can only update his own data. This can only be done after pulling the user data from store.
Conclusion
In this article, we got to know about Authorization and it's different types. We've to choose the type of authorization based on our requirement in the project which we're developing. ASP.NET Core already provides the built in authorization framework. We've to configure based on our requirements. We'll implement all the different types of authorization in later articles.
Please provide your feedback on this article and share with your friends.
Thank you!
Comments
Post a Comment