✅ Help with authentication/authorization for my application with .net 7
Hi,
I was hoping someone could help me out with Claims/Identity/Roles.
I have an application with a couple system users. These users pass an API Key along their requests.
Through this api key, I find their actual user in a DB. In addition to the
User table, I have a Feature table and a UserFeature table that connects a user with some feature of the application. This is how I can see that userA has access to the feature CustomerSearch for example.
I would like to move away from gnarly if-checks in the controller to see if a UserFeature entity exists with the userId, and instead make use of the annotations found in .net on the controller endpoints so that I can simply annotate that a method requires a certain feature. Any ideas?16 Replies
Reading up on claims on microsoft docs this doesn't seem to fit with how identity / authentication is commonly done
I'd appreciate any thoughts on this topic as I have never done "proper" authentication before
Unknown User•9mo ago
Message Not Public
Sign In & Join Server To View
It's actually super straight forward. Just an ordinary backend service with an api (web api project .net 7.0) with the following data structure for the user / features part:
So I have EFCore and regular controllers
currently what I do is inject the DbContextFactory to the controllers which have to create a context and query for a user with a matching token, then query the userfeatures to see if they have the feature that the endpoint requires
thats it
the users are system users
so they never perform any operations like forget password, reset password etc that i see mentioned in the Identity docs
they simply pass a token we assigned to them ages ago
that's how i receive the apikey in the controllers, i believe this should cover the current solution sufficiently
I saw there was some annotations I could add onto controllers to check for Claims
ideally I'd associate a Feature with a user such that a Feature can be mapped to a claim
Was this issue resolved? If so, run
/close - otherwise I will mark this as stale and this post will be archived until there is new activity.Anybody else have some thoughts on this topic?
You should probably make your own AuthenticationHandler that does the DB lookup and registers claims based on the database results
RemoteAuthenticationHandler<T> is the base class iirc
or well, perhaps remote isnt the right one herehmm
AuthenticationHandler<T>
alternatively just IAuthenticationHandler and IAuthenticationRequestHandler
Auth is non trivial 🙂okay, this will allow me to do the role stuff on controller methods?
Based on a brief reading, wouldn't claims be better?
I dont know about any of this stuff
maybe?
roles are stuff like "Im an admin"
claims are more granular like, "I can administrate user messages"
ah then that is exactly what i need
Ok, so something that scans db for existing users and adds them where needed with regards to the claims?
well, you'd extract the API key from the request as part of the handler
then look up the correct things that user can access and issue claims for each of them
okay, I'll have a look at this 🙂
Thanks @Pobiega , this was easy to implement and seems to do the trick
!solved
That command had an error
UnknownCommand: Unknown command.
Remove your reaction to delete this message