DotNetMalaga-Autorización en Asp.Net Core

Transcript

1. Autorización en Asp.Net Core ¿De verdad la conoces?

2. @hbiarge [email protected] Developer Mountain lover Hugo Biarge Software Development Engineer

   @ Plain Concepts

3. Agenda • Authentication vs Authorization • Asp.Net vs Asp.Net Core

   • Policies, requirements and handlers • Extensibility • More than one authentication scheme Demo code: https://github.com/hbiarge/Authorization-Workshop Hugo Biarge - @hbiarge

4. Authentication vs Authorization Authentication Identify authentication information in the request,

   use the configured methods to read it and create an instance of ClaimsPrincipal with the ClaimsIdentity and Claims of the requester Authorization Based on the requester Claims, the resource state, and potentially other information, allow or disallow action execution or filter resource information Hugo Biarge - @hbiarge

5. Once upon a time… • [Authorize] and [AllowAnonymous] are used

   in WebApi and MVC in the .Net Framework • They are the only “out of the box” resort to manage authorization • Supports Users and Roles • Implemented as an Authorization Filter • Executed early in the request lifecycle Hugo Biarge - @hbiarge

6. But… it´s the same in Core, right? • [Authorize] and

   [AllowAnonymous] also exist in .Net Core • It makes it easy to learn and use because the behavior is the same • The underlying infrastructure is completely new • Managed as an Authorization Filter in the ResourceInvoker class in an early stage of the request lifecycle • Supports only Roles (for compatibility reasons) and Policies Hugo Biarge - @hbiarge

7. But I´m still working with Asp.Net… • There is a

   backport that can be used in MVC and WebApi with Asp.Net 4 • https://github.com/DavidParks8/Owin-Authorization Hugo Biarge - @hbiarge

8. ClaimsPrincipal and ClaimsIdentity • ClaimsPrincipal aggregates one or many ClaimsIdentity.

   A request can use more than one scheme to be authenticated • Each ClaimsIdentity includes the set of Claims for an authentication scheme • A Claim defines: • Type: the name (can be duplicates) • Value: the value • Issuer: who has generated the claim? Hugo Biarge - @hbiarge

9. Introducing Policies // In Startup ConfigureServices services.AddAuthorization(options => { options.AddPolicy("RequireAdministration",

   policy => { policy.RequireRole("Administration"); policy.RequireClaim("Management"); policy.RequireClaim("OneOfMany", "a", "b"); }); }); Hugo Biarge - @hbiarge

10. What´s a Policy? • Composed by one or more Requirements

    • A Requirement is managed by one or more Handlers • A Policy will be satisficed (authorized) if ALL its Requirements are satisficed • A Requirement will be satisficed if at least one of its Handlers satisfy it • By default, all the Handlers registered for a Requirement are evaluated, although some fail Hugo Biarge - @hbiarge

11. Policies as code public class MinimumAgeRequirement : AuthorizationHandler<MinimumAgeRequirement>, IAuthorizationRequirement {

    protected override void Handle( AuthorizationContext context, MinimumAgeRequirement requirement) { // Logic to validate requirement context.Succeed(requirement); } } // In Startup ConfigureServices options.AddPolicy("Over18Only", policy => { policy.Requirements.Add(new MinimumAgeRequirement(18)); }); Hugo Biarge - @hbiarge

12. Requirements and Handlers • IAuthorizationRequirement • Can give context (state)

    for the authorization process • AuthorizationHandler<IAuthorizationRequirement> • AuthorizationHandler<IAuthorizationRequirement, Resource> • Implements the authorization logic receiving: • Authorization context • Requirement • The resource (optional) Hugo Biarge - @hbiarge

13. Managing the authz logic in Handlers • If the request

    should be authorized by the Handler • context.Succeed(requirement) • If the request should not be authorized by the Handler • Do nothing!! • There can be other Handlers registered for the same Requirement • Only in extreme scenarios • context.Fail() Hugo Biarge - @hbiarge

14. Handlers and DI • All the Handlers should be registered

    in the DI container • Singleton works for handlers without dependencies • Handlers with dependencies should honor the lifetime of it´s dependencies • ValidateScopes = true is your friend Hugo Biarge - @hbiarge

15. Resource based Authorization • AuthorizationHandler<Requirement, Resource> • In the Handle

    method we have access to the resource in a typed way public class ProductAuthorizationHandler : AuthorizationHandler<OperationAuthorizationRequirement, Product> { protected override void Handle( AuthorizationContext context, OperationAuthorizationRequirement requirement, Product resource) { // Logic to validate requirement } } Hugo Biarge - @hbiarge

16. Imperative Authorization IAuthorizationService in Controllers or Views public async Task<IActionResult>

    Index() { if (await _authorizationService.AuthorizeAsync(User, Policies.Over21)) { // User is authorized here. } else { return new ChallengeResult(); } } Hugo Biarge - @hbiarge

17. Extensibility • You can implement your own IAuthorizationPolicyProvider • Create

    policies dynamically • Use an external authorization service (https://policyserver.io/) • … • Only one per application • Fallback mechanism • Cache Hugo Biarge - @hbiarge

18. More than one auth scheme • By default, the Default

    Authentication Scheme is used to create the ClaimsPrincipal • We can configure other authentication schemes in Policies or in the [Authorize] attribute • Overrides the default authentication scheme • Adds to the ClaimsPrincipal an instance of ClaimsIdentity per scheme • The ClaimsPrincipal expose all the aggregated claims of all the ClaimsIdentity included Hugo Biarge - @hbiarge

19. Thanks! ¿Questions? Hugo Biarge - @hbiarge

20. None