I’m exploring Minimal APIs in .Net 6, and trying to apply a custom Authorization Filter to the endpoint (via Attributes or Extensions).
But it seems to me, I am doing something wrong, or it’s simply not designed to work in that way (and it’s sad if so).
Couldn’t find anything in the docs besides the default usage of [Authorize]
attribute in Minimal APIs.
Here is the Filter
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class CustomAuthorizeAttribute : Attribute, IAuthorizationFilter
{
//Checking tokens
}
And if I try to apply it at Controller level, it works fine
[CustomAuthorize]
public class CustomController : ControllerBase
{
//Necessary routing
}
But if I switch to Minimap APIs notation and try to use attributes
app.MapGet("/customEndpoint",
[CustomAuthorize] async ([FromServices] ICustomService customService, Guid id) =>
await customService.GetCustomStuff(id));
or even an extension method
app.MapGet("/customEndpoint",
async ([FromServices] ICustomService customService, Guid id) =>
await customService.GetCustomStuff(id)).WithMetadata(new CustomAuthorizeAttribute());
It just doesn’t work. The filter doesn’t even being constructed.
What did I miss or did wrong?
Thx in advance
2
Answers
I think you won’t be able to inject action filter in minimal api, you can use 3 alternative approches.
Create a custom middleware and inject it in startup class, it would check every request and do the intended work as you filter is doing. You can put a check for the request path there if you only need to validate a specific controller/endpoint.
The second approach is you can inject httpcontext in minimal api like this, from that extract jwt token and validate that, if found not ok reject that request.
as @Dai suggested, you can extract token in this way also
startup.cs
.You can write a custom authorization filter for Minimal API in .NET 6.0
Here is how I tend to approach it – by using Policy-based authorization in ASP.NET Core
Step 1: Create a Requirement
A requirement implements
IAuthorizationRequirement
Note: A requirement doesn’t need to have data or properties.
Step 2: Create a Requirement Handler
A requirement handler implements
AuthorizationHandler<T>
Note:
HandleRequirementAsync
method returns no value. The status of either success or failure is indicated by callingcontext.Succeed(IAuthorizationRequirement requirement)
and passing the requirement that has been successfully validated or by callingcontext.Fail()
to indicateAuthorizationHandlerContext.HasSucceeded
will never return true, even if all requirements are met.Step 3: Configure Your Policy in the Authorization Service
Step 4: Add Your Requirement Handler to DI
Step 5: Apply Policy to Endpoints