ASP.NET Core - Roles vs Claims vs Policy

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

bad bad bad everyone welcome to my video about roles versus claims versus policy first of all I want to thank you for 200 subscribers and this will be my video of explaining this topic which many of you asked for and I haven't really I don't think I've really given a compelling explanation so this is what this video is gonna be about trying to explain rules claims policy when do you want to use war and hopefully give you a better understanding when you want to accomplish a task what what do you want to turn to okay so rolls force claims or suppose what's the difference what's up right boom okay so let's start with rolls rolls is essentially a boolean type I want you to think of it as a boolean type because a roll the user is that they're either in it or he isn't right and they roll either protects a function or it doesn't right so you have some sort of functionality and you have some sort of user so if the user is in a roll he has access to the function that the roll protects as well right so the role essentially encapsulate s-- the user and the function so this is essentially just a little diagram I use this as you can see my math skills are improving but yeah essentially this is what roll is so you have a roll you have the users there in the roll and they have access to these functions all right claims claims are all bit different you well not a little bit they're entirely different they're a key value pair so if you look at this claim bubble here essentially this is an email so you specifying a key or a type so you can say it's an email it's a username it's an image you can have all sorts of claims right and this claim belongs to a user or an entity and claims are used to describe that entity all right so they're essentially user properties and they they tell the program or the context in which they're used something about the user so that's what claims are and if we go to policies they're just functions policies are just thunk functions which are they basically start here with the context and when we make a request to a page which is protected by a policy they go to this policy and it's essentially a function which basically takes this context and it looks at it and goes right this is the user is trying to access this thing and right let's check the database files or however you configure this function to work it's gonna execute it and then it's gonna say either right you're good to go or sorry buddy you are not allowed to go here and it's gonna give you a 403 okay so let's go ahead and I've set up a project here at this project I'm gonna make it available on github so you can go in and download it and let's first take a look at roles let's take a look at the setup of the project so start up I basically this is the default template kind of thing and let's make the code a little bit bigger and like so right so essentially I have my identity set up here and some policies as well but we'll go drill into them a little bit more in detail later on and then in the program CS file I essentially seed an admin user and for that admin user I create an admin role okay so let's fire this up I'll put it to the side here and I'll create another window I'll just put it to the side here okay so what's happening here while it's loading up it is going to create a database cold let me refresh this actually authorization tutorial and you can find the connection string for this and the upsetting stuff Jason here it is this database and the server that it's pointing to so if you have Visual Studio installed you shoud you should have this local database okay so let's bring this up again and let me log out here because I already was testing this and was logged in okay so essentially what we have to start with let's open this up tables and let's look at the users we have this one admin user here admin @test calm so let's go ahead and login there we go and I have these two roots on top right so roll test is essentially a page that I've set up to so the index page will essentially grab grab all the users and display their roles right and you have your roles as worth as well so we can go ahead and create something like a manager at test comm right so this is going to be a manager user right so now that we have created this manager user he's gonna appear here and by default I set the password - password - easier to be able to access these accounts easier so and then we can go ahead and create a role manager okay and we can do something sort of grab this manager grab the manager role and add the role or you can also add the role to the admin so admin can have manager and admin role or we can go ahead and remove they're also all this function I'm not gonna go over the functionality it's pretty much self-explanatory and it's all in this one controller so I haven't split it up into any files everything is in here and everything is relatively simple so for now we're gonna focus on roles the role a role access and that's sort of thing so for now I have this controller protected with the admin role right so I created this manager user and I gave him a role of manager okay so let me go ahead copy this URL go into here and let's say manager at test comm password okay and you see that access is denied so I'm trying to access this page and it's tonight so essentially again a roll is a boolean right so manager a testicle is he a manager yes is the roles and tests allowed for managers no okay so going into policies we can use the roles to enforce policy so again policies are functions and we can basically we give this function a name something like admin access and right we say policy that the user will have a require role of admin right so this is admin access so if we go to the policy test here I have to three pages sorry admin page which will go into policy control so we have the admin page which has admin access which is right here manager access which is going to check that the user is either in a role of admin or manager and user access is admin manager or user role right so we can go ahead and also go into roles test add a user at test comm let's create this user let's create a user role grab this user and give em him a role as well right so being a manager you can access the user page and you can access the manager page but you cannot access the admin page and being an admin you can access the user page manager page and admin page so again going back to the presentation so our role as you can see encapsulate this function of for now the roles controller so this whole class and all the function is are all the functions are protected by this role so all these functions belong here to this role and all the users that are in this admin role have access to these functions right and we have the policy so the policy has access to the context and the context is pretty much the current state of the user in the asp.net core application right and the database we can when I create it it's possible to create filters and I'm gonna enough filters but handlers I will show you how to we do that on claims policy but essentially you can see that here we're creating functions where we are able to manipulate the rope and basically provide some additional function based based on they're also saying things like right the function is now protected or rather your axis is depending on your role and more than one role can be involved in determining whether you have access or not okay let me close all of these documents let me stop the application and let's go ahead and go into claims so claims is pretty much the same I have the program file here which essentially says create admin clay manager claim and date start a claim manager admin claim are gonna be pretty much useless here and essentially I'm saying right if you're on this project first add these claims and if you've run the other project just add the claims to the to this user which is admin attest the one we see it in roles and I have the app settings it's pointing to the same database so everything that you have created in the previous project will be retained for this claims project as well okay so what am i doing different in this project so based on claims so I have this claims controller right and I have this years work right so what is this year's work this is my custom filter type filter and it's a type of authorization filter so if you know anything about I have middleware in or rather not middleware filters in dotnet core authorization filters are executed first before any other filters so this is what's going to be executed before it grants you access to this method right so what am i doing in this filter in this filter I'm getting the context I'm getting the user so I'm chicken is he authenticated if not I returned enough for unauthorized result and then I'm basically getting the date started so I've basically set up this project to imitate the functionality of giving out rewards to users based on how long they worked at the company you can also say how long they've been signed up to your a website how long they've been doing something right so it's trying to mimic or implement that functionality okay and this is what I'm basically checking for claims and I'm looking for this date started I'm getting the value I know I'm doing as I'm prefer performing some logic in this authorization filter right so you might take if if you're catching on to if you remember the word policies were you might think right why are you not using a function or rather why are you not using the policy function isn't that what it's made for well yeah that is what it's made for but imagine if you didn't have policies this is what you would have to do you'd have to carry a filter and this is what you would have to do right so a claims policy I have these pages that are not in this policy page but they're here and then I have links so let's go ahead fire this one up I'll put it here to the side and I'm gonna take this here I'm actually gonna close this okay so let me log out let me look back in as admin okay now let's go to roles tests is it this same website yeah it is pardon so I'm going to select the different project to run let me fire this up you you so now that that's this project is urn let's go ahead into our database again and let's look at asp.net user claims right so this is where it's gonna essentially create the claims for our user so you can see the user ID this is the admin ID right this is the claims that is created okay so let me open up this window now put it here let's login as admin dot test right and let me login as manager factus com laughter so this manager we're still quite remember we're still pointing to the same database so now I have access to this login on a different website okay so let's go to claims the testing here you can see all different claims right and here are the three claims that I have added manually and here you can see this roll right that is essentially stating there also when we assigned our user to the role of admin a has translated to this as well so if we go on our manager you can see that the roll is still a claim right but just of the just because of the implementation and is p.net core and it's semantical meaning role is still this bubble capsule eights the users and the functionality in this bubble okay so going forward to have we work two years yes by the way I have set in my program yes when I see that the claims I have set the date started form admin user in 2010 so it's 2019 right now so he's essentially worked nine years okay so we would be able to access two years five years and ten years so five years no problem ten years and we get a 401 unsent ik ated right and if we gone our manager we try to visit two years might probably get an exception right because we don't have this claimant that I'll probably need to implement something to handle that functionality okay now I essentially then went ahead and said right why am i creating my own author is the attribute I can create a filter sorry and policy handler so a policy function that will handle this for me okay so in my startup I have this so essentially what I'm doing is I'm creating a requirement which is minimum year's work requirement and I'm passing some kind of value to it and then I am using this requirement let me put this two new lines I can't because it's running all right so I have this minimum year requirement here and based on this requirement I'm essentially doing the same thing I'm doing in this attribute so you will see that these functions look very very similar all right I'm doing the same thing except how it returns the completed status is a little bit different but yet essentially is doing the same thing it's taking this claim they'd start it and it's checking its value based on the value that we have registered here right so when in my startup when I define these policies work two years worked five years I give names to these functions right and then I create this parameter which is then implemented by this handler okay so in my this would look like this and my policy so essentially what it's saying before accessing this controller you have to go through this function right so if we'd again go to policy test we're now at policy and if we go to two years we have access five years we have access ten years we get an unauthorized right so policy is really again it's a function that can use either roles or claims or database based on the user that's accessing it can either provide you access or deny you access to functions all right and if we go to here policy two years and again I crush us because we don't have claims so you potentially want to be implementing this check okay so this will be essentially for this episode and let's again just as a refresher go back to these roles and I mean go back over go over these slides again after you've seen the project and how I attempted to tackle some of the tasks again roles roles and capsulate functions and users so if you have an admin control panel panel it would make sense to have an admin role and protect all those functions with an admin role ok so if you have a specific a specific amount of functions and you want those functions to be only available to certain users you might want to opt in for roles right but you can also send claims so you can actually just create a claimed role called roles and you can put whatever claims you want in there and really it's up to you to decide which to pick claims the roles based on the semantical meaning of how Microsoft defines it in asp.net alright so role is this thing which has users and functions assigned to this role and the claims are something that define a user right so I don't think you necessarily want to mix them you either want to pick one or two so claims are essentially essentially provide you the functionality of roles in the long term but they also provide you with a little bit more customized ability because it's a key value pair so you can have as you've seen how many years have you worked for it can give you that level of authorizing functions all right and policies are essentially those functions which basically they're basically saying based on who is accessing they're gonna perform some tasks and they're gonna say right you're either allowed to do it or not so policies essentially they don't have anything to do with roles or claims they use roles and claims to decide whether you have access or not okay so the real question here is should you be using roles and claims and that's for you to decide in your application based on the application that you're building do you need the flexibility of claims or are you okay with just having roles and secure securing and delegating access to functions based on the roles or do you need to know that the user has some sort of a value assigned to like an email if or a domain if you come from a different domain so you might have a Windows authentication in your company and you might say write one users come from one domain another users come from another domain so based on the domain we are we're gonna delegate access or based on your role or access level you know that sort of thing so if you're in a big company and you're building a big application claims might be your pick if you're building something small and you don't need a lot of flexibility and you really really just need to secure a function and when the user comes in and you want to give them access to these functions it might be okay with going for roles and if you don't need a big level of configuration the we're for this video thanks for watching if you have any questions leave them in the comments I'd love to answer your questions if you enjoy this video like subscribe I do a lot of cool tutorials on my channel not only does my core but also UJS and there's gonna be a lot more videos to come so if you want to stick around don't forget to subscribe and hopefully I'll see you around in my other videos have a good day

Info

Channel: Raw Coding

Views: 91,915

Rating: undefined out of 5

Keywords: web development, web development tutorials, .net core, asp.net core, .net core 2.1, asp.net core 2.1, .net core tutorials, asp.net core tutorials, .net core 2.1 tutorials, asp.net core 2.1 tutorials, roles, claims, policy, vs, authentication, authorization, difference

Id: cbtK3U2aOlg

Channel Id: undefined

Length: 23min 11sec (1391 seconds)

Published: Sun Apr 14 2019