Authorization in Asp.Net Core

Transcript

1. Authorization in Asp.Net Core Madrid - 20/02/2019 Hugo Biarge

2. Hugo Biarge Developer [email protected] @hbiarge

3. Agenda • Authentication vs Authorization • Asp.Net vs Asp.Net Core

   • Policies, requirements and handlers • Testing • Extensibility https://github.com/hbiarge/Authorization-Workshop

4. Authentication vs Authorization Authentication Identify authentication information in the request,

   use the configured methods to read it and create an instance of ClaimsPrincipal with the ClaimsIdentity and Claims of the requester Authorization Based on the requester Claims, the resource state, and potentially other information, allow or disallow action execution or filter resource information

5. Once upon a time… • [Authorize] and [AllowAnonymous] are used

   in WebApi and MVC in the .Net Framework • They are the only “out of the box” resort to manage authorization • Supports Users and Roles • Implemented as an Authorization Filter • Executed early in the request lifecycle

6. But… it´s the same in .Net Core, right? • [Authorize]

   and [AllowAnonymous] also exist in .Net Core • It makes it easy to learn and use because the behavior is the same • The underlying infrastructure is completely new • Managed as an Authorization Filter in the ResourceInvoker class in an early stage of the request lifecycle • Supports only Roles (for compatibility reasons) and Policies

7. ClaimsPrincipal and ClaimsIdentity • ClaimsPrincipal aggregates one or many ClaimsIdentity.

   A request can use more than one scheme to be authenticated • Each ClaimsIdentity includes the set of Claims for an authentication scheme • A Claim defines: • Type: the name (can be duplicates) • Value: the value • Issuer: who has generated the claim?

8. Testing authentication and authorization • TestHost • Acheve.TestHost.Security

9. What´s a Policy? • Composed by one or more Requirements

   • A Requirement is managed by one or more Handlers • A Policy will be satisficed (authorized) if ALL its Requirements are satisficed • A Requirement will be satisficed if at least one of its Handlers satisfy it • By default, all the Handlers registered for a Requirement are evaluated, although some fail

10. Simple policies // In Startup ConfigureServices services.AddAuthorization(options => { options.AddPolicy("RequireAdministration",

    policy => { policy.RequireRole("Administration"); policy.RequireClaim("Management"); policy.RequireClaim("OneOfMany", "a", "b"); }); });

11. Policies as code public class MinimumAgeRequirement : AuthorizationHandler<MinimumAgeRequirement>, IAuthorizationRequirement {

    protected override void Handle( AuthorizationContext context, MinimumAgeRequirement requirement) { // Logic to validate requirement context.Succeed(requirement); } } // In Startup ConfigureServices options.AddPolicy("Over18Only", policy => { policy.Requirements.Add(new MinimumAgeRequirement(18)); });

12. Requirements and Handlers • IAuthorizationRequirement • Can give context (state)

    for the authorization process • AuthorizationHandler<IAuthorizationRequirement> • AuthorizationHandler<IAuthorizationRequirement, Resource> • Implements the authorization logic receiving: • Authorization context • Requirement • The resource (optional)

13. Managing the Authorization logic in Handlers • If the request

    should be authorized by the Handler • context.Succeed(requirement) • If the request should not be authorized by the Handler • Do nothing!! • There can be other Handlers registered for the same Requirement • Only in extreme scenarios • context.Fail()

14. Handlers and DI • All the Handlers should be registered

    in the DI container • Singleton works for handlers without dependencies • Handlers with dependencies should honor the lifetime of it´s dependencies • ValidateScopes = true is your friend

15. Resource based Authorization • AuthorizationHandler<Requirement, Resource> • In the Handle

    method we have access to the resource in a typed way public class ProductAuthorizationHandler : AuthorizationHandler<OperationAuthorizationRequirement, Product> { protected override void Handle( AuthorizationContext context, OperationAuthorizationRequirement requirement, Product resource) { // Logic to validate requirement } }

16. Imperative Authorization IAuthorizationService in Controllers or Views public async Task<IActionResult>

    Index() { if (await _authorizationService.AuthorizeAsync(User, Policies.Over21)) { // User is authorized here. } else { return new ChallengeResult(); } }

17. Extensibility • You can implement your own IAuthorizationPolicyProvider • Create

    policies dynamically • Use an external authorization service (https://policyserver.io/) • … • Only one per application • Fallback mechanism • Cache

18. Use more than one authentication scheme • We can define

    authentication schemes in Policies or in the [Authorize] attribute • Adds to the ClaimsPrincipal an instance of ClaimsIdentity per scheme • The ClaimsPrincipal expose all the aggregated claims of all the ClaimsIdentity included • Overrides the default authentication scheme

19. But I´m still working with Asp.Net… • There is a

    backport that can be used in MVC and WebApi with Asp.Net 4 • https://github.com/DavidParks8/Owin-Authorization

20. Thanks! ¿Questions?