Authorization in ASP NET Core

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
they say spud 71 of a speed or net core tutorial in this video we'll discuss authorization in a speed or net core authentication is the process of identifying who the user is whereas authorization is the process of identifying what the user can and cannot do authorization usually happens after authentication because in order for us to be able to determine what the logged in user can and cannot do we first have to identify who the user is for example if the logged in user is an administrator user he may be able to create read update and delete order studies perform all the crud operations on the other hand if the logged in user is a normal user who usually has less privileges than an administrator user may only view an order but not create update or delete orders in asp.net core MVC authorization is implemented through the use of the authorized attribute let's take a look at couple of examples as a moment all users that is anonymous users as well as authenticated users that is logged in users are able to see the list of all employees P via specific employee details edit an existing employee details and even create a new employee now what we want to be able to do is limit these two actions that is creating a new employee and editing an existing employee details we want to limit these two actions to authenticated users that is logged in users if the user is not logged in then they should not be able to create a new employee or edit an existing employee details on the other hand all users that is both anonymous users and authenticated users should be able to see the list of all employees and view a specific employee details if they want to let's see how to implement this through the use of authorized attribute in asp.net core MVC here is the home controller of our application and then the index action returns us the list of all employees this details action method returns as the details of a specific employee details now we do not want to protect these two actions from anonymous access so I'm not going to decorate them with the authorized attribute on the other hand we want to protect the create action so let's decorate this with the authorized attribute let's bring in the required namespace by pressing control period we also want to protect the Edit action from anonymous access so let's also decorate it with the authorize attribute these two actions create and edit respond to HTTP GET we also have their counterparts that respond to HTTP POST and we need to protect them as well from anonymous access so let's decorate them also with the authorize attribute at the moment I'm not logged in but I should still be able to see the list of all employees and view a specific employee details but when I try to create a new employee or edit an existing employee notice I'm redirected to the login page this is because we decorated both the actions with this authorized attribute at the moment we're using the authorized attribute in its simplest form without any parameters by using the authorized attribute like this we're basically telling we want the users to be at least logged in to be able to reach these actions and that's the reason we see this login page notice in the URL we'll now have a new query string parameter return URL and its value has got these strange characters percentage to F these are the encoded characters for 4/2 see these characters let's copy the URL and decode them so to decode the URL I'm going to go to this website and paste the URL here and click the decode button notice the value now it is slash home slash edit / 1 this is the URL that we were trying to access but since we are not logged in we are redirected to the login page if you're wondering what is the use of this return URL query string parameter well we could use that to redirect the user to the page that he was trying to access after a successful login will discuss how to do that in our upcoming videos now let's log in and quickly test if we can get to the create and edit actions we are logged in let's try to edit this employee details I'm able to do that let's also create a new employee notice we have access to both the actions log out at the moment we are using the authorize attribute on the individual controller action methods we could also apply this on the controller itself when we do that it's applicable to all the actions within that controller let's quickly test that first let's remove the authorize attribute from the individual actions now let's include the authorize attribute at the controller level with this change if we are not logged in will not be able to access any of the actions within the home controller including the index and details actions let's quickly test this at the moment we are on the list view if I try to view a specific employee details notice we are redirected to the login page but in our case we want to allow anonymous access to the index and details actions at the moment by using the authorize attribute at the controller level so it's applicable to all the actions including index and details but we want to allow anonymous access to these action methods to achieve that we could use allow anonymous attribute let's do the same with the detail section as well notice now we are able to see the list of employees as well as view specific employee details at the moment we have applied authorized attribute at the controller level and anonymous attribute on the individual actions if we use these attributes the other way round that is the allow anonymous attribute at the controller level and authorized attribute on individual actions will it have the desired effect that we want the answer is no if we use allow anonymous attribute at the controller level then it's going to ignore the authorized attribute that is applied on the individual actions within that controller I will leave that for you to test and verify now is there a way to apply this authorized attribute globally instead of applying it on each controller like this the answer is yes and we do that in startup dot CS notice in the configure services method we are calling add MVC extension method to add the required MVC services at the moment we are using air MSE method that does not take any parameters we have another overloaded version that takes an action of MVC options as a parameter we are going to use this overloaded version to configure MVC so I'm going to pass a parameter here let's name it options we need to build an authorization policy first for that let's create a variable named it policy and build the authorization policy I'm going to use authorization policy builder class bring in the required namespace by pressing control period and then to this we want to chain require authenticated user method and then build the authorization policy by calling the build method with this authorization policy we are basically saying to reach any of the controllers or their actions within our application we want the users to be authenticated that is logged in next we want to add the authorized filter along with this policy for that on the options parameter we have filters we want to add a new filter so we call add and the filter that we want to add is a new authorized filter bring in the require namespace which is Microsoft s bennett co MVC authorization and then to the constructor let's pass the policy that we have created note now when we reload the page we're able to get to the detail section of the home controller because on the detail section we are using allow anonymous attribute so we have anonymous access to the detail section of our home controller now look what happens when I try to go to the login page we have an error 404 0.15 the request filtering module is configured to deny request where the query string is too long and that's exactly the problem we have look at the query string it's too long let's copy this and paste it in a notepad look at the query string parameter return URL equals account slash login return URL account slash login it appends they return URL to the URL sa query string parameter several times until it becomes excessively large so the web server gives a processing and throws Tessera why is this happening well because the application is start in an infinite loop at the moment we have our application configured to apply the authorizer attribute globally so this means even to get to this login action within our account controller we must be already logged in so when I click on the login link to log in the application detects I am not logged in so it tries to redirect me to the login URL which is slash account slash login but again to get to that URL we must be logged in so it again tries to redirect me to that same login URL so it is stuck in this infinite loop until the query string becomes excessively large so the server gives a processing and it fails with this error message to fix this all we need to do is allow anonymous access to login actions within our account controller let's bring in the require namespace we also want to allow anonymous access to the register actions otherwise new users will not be able to register with our application now let's navigate to the fruit URL we see the list of employees now because we allowed anonymous access to both the login and register actions we are able to get to them without logging in this is the same piece of code that we used to apply the authorized attribute globally notice we are creating an authorization policy and an authorized filter don't worry if you are new to these concepts we'll discuss both of them in detail in our upcoming videos at the moment within our application we're using the authorize attribute in its simplest form without any parameters if we use the authorize attribute like this it only checks if the user is authenticated in addition to this simple authorization asp.net core also supports role-based claims based and policy based authorization will discuss these authorization techniques in our upcoming videos that's it in this video thank you for listening [Music] you
Info
Channel: kudvenkat
Views: 159,817
Rating: undefined out of 5
Keywords: asp.net core authorize user, asp.net core authorization tutorial, asp.net core basic authorization, asp.net core disable authentication, asp.net core disable authorization, asp.net core default authorization, asp.net core authorization example, asp.net core global authorization filter, asp.net core global authorization policy, asp.net core authorize global, asp.net core 2.0 global authorize, authorize attribute in asp.net core, asp.net core mvc authorize attribute
Id: uET7MjhUeY4
Channel Id: undefined
Length: 12min 26sec (746 seconds)
Published: Wed Jun 12 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.