Introduction To Permission Authorization In ASP.NET Core 7 | Permission Authorization - Part 1

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi everyone my name is Milan and welcome to the first video in the permission authorization Series in this video we're going to set the foundation for building the permission authorization feature we're going to start the implementation and add some initial components and then with every video in this series we're going to add elements on top of this Foundation until we get the final implementation so let's see what problem we are actually trying to solve with permission authorization I'm starting from the members controller and more specifically the get member by ID endpoint because we have the authorize attribute applied on this endpoint and we require users to be authenticated when hitting this API endpoint if you missed the previous video where I talked about implementing Json web token authentication you can take a look at that video here from the link that's going to pop up in the top of your screen and after you watch that video I suggest that you return to this one because it's going to be easier to follow if I take a look at the Constructor of the authorized attribute we can see that we have access to a few properties that we can set the default Constructor accepts a string that specifies the policy to be used for this authorized attribute but we can also set the authentication scheme the policy property directly and the roles if you are familiar with roles based authentication you would typically see something like this where you specify the roles property and then you specify a common delimited string of roles that are required to access this endpoint so for example we could require the user to have the registered role when accessing this endpoint and this is going to check for the roles claim in the Json web token and see if the registered value is present inside of that claim alternatively you could specify a policy here for example a policy name can be can read member and we would have to specify a custom policy with this name and provide an implementation to verify that the authenticated user can indeed access this endpoint the problem with both approaches is that you have to specify a hard-coded value for either the roles or the policy and for the policies you need to register all of them manually to be able to work inside of asp.net core so I mentioned that we were going to implement permission authorization imagine that instead of the authorized attribute we could type something like this let's say we had a has permission attribute and we will specify it here and then we would have a way to access our permissions which are going to be either string constants or even better on enum and this is the approach that we are going to use and on this enum we can define a specific value for example read member and this is how we would Define the authorization component of this endpoint so for an authenticated user to be able to access this endpoint they need to satisfy this authorization attribute which we are going to create in just a moment which specifies which permission is required to be able to access that endpoint so let's start out with the has permission attribute I'm going to go over to the infrastructure project and inside of the authentication folder I'm going to add a new class which is going to hold our has permission attribute this attribute is going to inherit from the authorized attribute that we just saw so I'm going to make this class public and shield and make it inherit from the existing authorized attribute let's define a Constructor on a retribute we are going to have just one argument which is going to be a string representing our permission that is required to satisfy this has permission attribute and we can pass this permission to our base Constructor to specify the policy that is required on the authorized attribute so I'm going to use this permission to specify a policy that needs to be fulfilled for an authenticated user to be able to pass authorization let's also create a class that is going to hold the permissions so I'm going to say permission and for starters I'm going to make it public and static and I'm just going to add one constant which is going to be the permission that we had in the members controller a moment ago and the name of this permission is going to be read member and I'm just going to assign it the same value all right so now if I go back to the members controller I can add a reference to the infrastructure project and we can get access to the has permission attribute so I'm going to go ahead and do that and now this compiles we have the has permission attribute and we are specifying our permission as a string so this is one way that we can approach this but a better approach would probably be to use enums instead of constant strings so let's go ahead and make that change I'll go to the read member permission and I'm going to turn this class from a static class into an enum let's get rid of this constant string and let's define our permission as an actual enum value so I'm going to say read member and give it the value of 1. now if I go back to the members controller you can see that we are going to get a compile error here this is because it has permission attribute is expecting a string instead of an enum so I'm going to fix that let's go to the has permission attribute and I'm going to change this from a string into a permission you know so now the members controller should be fine but I need to convert the permission instance to a string to satisfy the policy that is required for the authorized attribute and now if I go back to the members controller you can see that everything compiles this time we are using enums instead of constant strings and we have a very elegant way to define which permission is required to access a certain endpoint based on our requirements we can use as much granularity as we need for defining these permissions we could have one high level permission that we could place on the controller level for example if I go into the permission enum let's say instead of the read member I want to have a higher level permission for example access members this is going to be a top level permission that is going to allow access to all of the members I'm going to give it a value of 1 and make the read member permission a value of 2 and if I go back to the members controller we can Define this permission on the controller level right here and specify the has permission attribute and here I can say permission access members and now instead of having a specific permission on the endpoint I can have a high level permission on the entire controller that is going to handle all of the endpoints under this controller so this approach is very flexible and you can decide which way you want to go I usually prefer having specific permissions per endpoint perhaps not a permission for every single endpoint for example if I have a few get endpoints I'm going to use the same permission like this one so what are going to be our next steps we need a way to configure which member has which permissions and how we are going to do this is we're going to Define roles that we are going to assign to our members and then for each role we are going to configure which permissions that role has for example we could have a simple role like registered and it's going to have a specific set of permissions and we may want to have an administrator role that is going to have access to a wider range of permissions because we want our administrator to have more capabilities inside of the application I hope that you enjoyed this video even though it's just an introduction to the permission authorization Topic in the next few videos in this series you're going to see how we're going to implement this to work inside of asp.net core while you wait for the next video in this series here are two videos that you can watch to fill the time and until next time stay awesome
Info
Channel: Milan Jovanović
Views: 42,265
Rating: undefined out of 5
Keywords: authorization, authorization vs authentication, authorization and authentication, authorization jwt, permission authorization, jwt, jwt.io, permissions, auth, permission auth, asp.net core authorization, api, asp.net core 7, authorization with permission, rbac, abac, authorization asp.net, authorization api, authorization controller
Id: PlbAuNvR16s
Channel Id: undefined
Length: 8min 29sec (509 seconds)
Published: Fri Dec 02 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.