Before posting this question I’ ve done lots of research in the Internet, I’ ve found some stuff, but I wasn’t able to find something that fits my case.
So please provide me the right direction or code snippets to go on.
I’m developing an app in .NET 6 which consists of 2 projects: Blazor WASM project for the client-side and a WEB-API project for the API’s of my app.
At the moment, I’ve successfully implemented authentication from a central Identity Server 4. I receive "id_token" and "access_token" and use them to
secure access to my web-APIs from unauthenticated users.
The problem is that now I want to implement "role-based authorization". The facts are:
- I cannot modify the code of the common Identity Server I use.
- I have the users, the roles and their connection inside my app’s database.
I think that the right solution here is implementing a MIDDLEWARE which reads the roles from my database and adds them into the "Claims".
Where should I develop the middleware? Web-Api project, blazor project or both???
If I developed a middleware in the Web-Api project (where by default there is already a pipeline) which adds roles into the Claims of "access_token",
the blazor project wouldn’t work bacause of the modified token, right???
Could you help me with code snippets or provide me the right directions?
Thank you for your time!!!
2
Answers
Authorization is solely an API responsibility:
My sample .NET API shows one way of doing this and building a custom ClaimsPrincipal. Once you’ve done that, .NET’s standard authorization techniques such as the [Authorize] attribute will work based on the ClaimsPrincipal’s contents.
The client sends the access_token in every request. The server validates the access_token and then creates a ClaimsPrincipal with the claims that were included in the token. In your server can add additional claims to the ClaimsPrincipal using the OnTokenValidated event. Example:
Then in your controllers you can check for the role using
[Authorize(roles = "admin")]
orUser.IsInRole("admin");
.