How do we implement permissions in ASP.NET identity?

c# asp.net asp.net-web-api permissions asp.net-identity
16,179

Solution 1

I extended ASP.NET Identity to allow for permissions as you describe it. I did it to decouple the security model from your application model. The problem with the traditional approach of putting roles in an AuthorizeAttribute is you have to design your security model the same time as you design your application, and if you make any changes you have to recompile and redeploy your application. With the approach I came up with you define resources and operations in a custom AuthorizeAttribute, where operations are analogous to permissions. Now you decorate methods like this:

[SimpleAuthorize(Resource = "UserProfile", Operation = "modify")]
public ActionResult ModifyUserProfile()
{
    ViewBag.Message = "Modify Your Profile";
    return View();
}

Then you can assign a resource/operation to a role in the database, configuring your security model during deployment and can modify it without redeployment. I wrote about this approach using SimpleMembership here. And later ported it to ASP.NET Identity here. The articles have links to the full source code with reference applications.

Solution 2

You should extend the Identity classes and add this functionality to that. roles and permissions have a many-to-many relation together so you should change the IdentityRole class as something like this:

public class IdentityRole<TKey, TRolePermission>
{
    public string Title { get; set; }

    public virtual ICollection<TRolePermission> Permissions { get; set; }
}

As you can see you want a intermediate object and table named RolePermission. And the Permission class can look like something like this:

public class IdentityPermission<TKey, TRolePermission>
{
    public virtual TKey Id { get; set; }
    public virtual string Name { get; set; }
    public virtual string Description { get; set; }

    public virtual ICollection<TRolePermission> Roles { get; set; }
}

Then you should create custom AuthorizeAttribute to execute authentication check on the controllers and actions. that could be somthing like this:

public class AuthorizePermissionAttribute : AuthorizeAttribute
{
    public string Name { get; set; }
    public string Description { get; set; }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        return base.AuthorizeCore(httpContext)
               && Task.Run(() => httpContext.AuthorizePermission(Name, Description, IsGlobal)).Result;
    }
}

You can override the AuthorizeCore method to add the permission authentication to the normal Role-based authentication. Although you can do this easily, i implemented it as an open source Permission-based Identity extension here and you can use it direclty or get inspired from that to do it on your own.

Solution 3

I find this link as a good approach for dotnet core which can be applied to dotnet framework. in this approach, all things we need is related to claims which are implemented inside Identity and there is no need to Extend Identity.

Share:
16,179
Shaun Luttin
Author by

Shaun Luttin

My professional work focuses on designing, testing, implementing/securing, and deploying distributed services. I kind be "that guy" too. Ship it!

Updated on June 14, 2022

Comments

  • Shaun Luttin
    Shaun Luttin almost 2 years

    We understand how to implement authentication and authorization in ASP.NET identity with the WebApi. For instance, we can log a user in and then retrieve both his secure token and role.

    We now want to add permissions. For instance, user steve may be in the admin role. Now we want to assign read, edit, and delete permissions to the admin role. How do we do that in ASP.NET Identity? Is there existing permissions infrastructure in ASP.NET Identity?

  • Shaun Luttin
    Shaun Luttin about 10 years
    I am wondering about how to add discrete permissions to those roles.
  • Parth Shah
    Parth Shah about 10 years
    Is it important to make those permissions discrete? Using the role based authorization infrastructure of ASP.NET MVC shifts the responsibility of processing/rejecting the request away from you, thus reducing the amount of code you have to write overall. I would recommend you to not write more code than you need to for maintainability reasons.
  • Shaun Luttin
    Shaun Luttin about 10 years
    It is important to make permissions discrete, because we want to be able to modify the permissions that each role has.
  • Onsongo Moseti
    Onsongo Moseti almost 6 years
    Hello Kevin, I am trying to implement permission in my ASP.NET application. The links you have provided lead to an empty page. I wanted to know how you have implemented permissions. Could you please provide the correct? link to the resources you have implied to in the above answer?
  • Kevin Junghans
    Kevin Junghans almost 6 years
    @OnsongoMoseti - The article pointed to a CodePlex project which as been shut down. You could have downloaded the whole project from the page in the link. But I have also moved it to GitHub. The links in the articles have been updated to GitHub and you can reach it here github.com/kjunghans/SimpleSecurity .
  • Mosia Thabo
    Mosia Thabo almost 3 years
    Why not use Claims Table as your Permissions store that's already there than creating a new table that's basically going to perform similar functions?
  • dizarter
    dizarter almost 2 years
    Here's a web.archive link for ASP.NET Identity article web.archive.org/web/20200812010115/http://…

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

CreateUserIdenityAsync returns "UserId not found" exception for custom IdentityUser
Extending IdentityUser with EF Code-first on VS 2013 SPA AccountController
Are all the web requests executed in parallel and handled asynchronously?
Multiple optional parameters web api attribute routing
Inherit from IdentityUser I get an error on UserManager<User>
Role Claims in ASP.NET Core Identity compared to Role Permissions in custom auth
Web Api 2 Handle OPTIONS Requests
WebAPI OData Error The ObjectContent type failed to serialize the response body for content type 'application/json...'
Can you have 2 GET methods with different parameter types within the same web api controller?
Asp.net WebAPI: Aborted (cancelled) requests