✅ How do you create custom authz/autho in ASP.NET Core?

reinaldyrfl · 2023-10-13T07:08:48.957Z

As far as I know, on the internet there's only an implementation for JWT authentication. Yet, I need totally custom implementation that's not related to JWT at all. I have an additional case that every static file visit should also be authenticated (the specification said so). According to my implementation, anonymous access should be allowed. But for unknown reasons, I got empty content with 401 status code for any page and any method. I think I'm missing something, yet I don't know what it is.

R

reinaldyrflOP•10/13/23, 7:09 AM

Currently my code is:

Program.cs

builder.Services.AddAuthentication("Session")
    .AddScheme<SessionAuthenticationSchemeOptions, SessionAuthenticationHandler>("Session", options => { });
builder.Services.AddAuthorization(options => {
    options.AddPolicy("Session",
        policyBuilder => policyBuilder.AddAuthenticationSchemes("Session").RequireAuthenticatedUser().Build());
});

/// ...
app.UseSessionAuthentication(new SessionAuthenticationOptions {
    PolicyName = "Session"
});
app.UseAuthentication();
app.UseAuthorization();

/// ...
/// This is the static files route that should also be authenticated
    app.UseStaticFiles(new StaticFileOptions {
        FileProvider = new PhysicalFileProvider(
            Path.Combine(Directory.GetCurrentDirectory(), @"Frontend", @"dist")),
        RequestPath = new PathString("/")
    });

builder.Services.AddAuthentication("Session")
    .AddScheme<SessionAuthenticationSchemeOptions, SessionAuthenticationHandler>("Session", options => { });
builder.Services.AddAuthorization(options => {
    options.AddPolicy("Session",
        policyBuilder => policyBuilder.AddAuthenticationSchemes("Session").RequireAuthenticatedUser().Build());
});

/// ...
app.UseSessionAuthentication(new SessionAuthenticationOptions {
    PolicyName = "Session"
});
app.UseAuthentication();
app.UseAuthorization();

/// ...
/// This is the static files route that should also be authenticated
    app.UseStaticFiles(new StaticFileOptions {
        FileProvider = new PhysicalFileProvider(
            Path.Combine(Directory.GetCurrentDirectory(), @"Frontend", @"dist")),
        RequestPath = new PathString("/")
    });

builder.Services.AddAuthentication("Session")
    .AddScheme<SessionAuthenticationSchemeOptions, SessionAuthenticationHandler>("Session", options => { });
builder.Services.AddAuthorization(options => {
    options.AddPolicy("Session",
        policyBuilder => policyBuilder.AddAuthenticationSchemes("Session").RequireAuthenticatedUser().Build());
});

/// ...
app.UseSessionAuthentication(new SessionAuthenticationOptions {
    PolicyName = "Session"
});
app.UseAuthentication();
app.UseAuthorization();

/// ...
/// This is the static files route that should also be authenticated
    app.UseStaticFiles(new StaticFileOptions {
        FileProvider = new PhysicalFileProvider(
            Path.Combine(Directory.GetCurrentDirectory(), @"Frontend", @"dist")),
        RequestPath = new PathString("/")
    });

builder.Services.AddAuthentication("Session")
    .AddScheme<SessionAuthenticationSchemeOptions, SessionAuthenticationHandler>("Session", options => { });
builder.Services.AddAuthorization(options => {
    options.AddPolicy("Session",
        policyBuilder => policyBuilder.AddAuthenticationSchemes("Session").RequireAuthenticatedUser().Build());
});

/// ...
app.UseSessionAuthentication(new SessionAuthenticationOptions {
    PolicyName = "Session"
});
app.UseAuthentication();
app.UseAuthorization();

/// ...
/// This is the static files route that should also be authenticated
    app.UseStaticFiles(new StaticFileOptions {
        FileProvider = new PhysicalFileProvider(
            Path.Combine(Directory.GetCurrentDirectory(), @"Frontend", @"dist")),
        RequestPath = new PathString("/")
    });

R

reinaldyrflOP•10/13/23, 7:11 AM

SessionAuthenticationHandler.cs

public class SessionAuthenticationHandler : AuthenticationHandler<SessionAuthenticationSchemeOptions> {
    private readonly ILoginClient _loginClient;
    private readonly IMemoryCache _memoryCache;

    public SessionAuthenticationHandler(IOptionsMonitor<SessionAuthenticationSchemeOptions> optionsMonitor,
        ILoggerFactory logger,
        UrlEncoder encoder,
        ISystemClock clock,
        ILoginClient loginServerClient,
        IMemoryCache memoryCache) : base(optionsMonitor,
        logger,
        encoder,
        clock) {
        _loginClient = loginServerClient;
        _memoryCache = memoryCache;
    }

    protected override async Task<AuthenticateResult> HandleAuthenticateAsync() {
        if (Request.Query.TryGetValue("sessionId", out StringValues sessionId)) {
            // I'm hiding implementation details because of Discord's message limit

            string accessToken = ConvertSessionIdToAccessToken(sessionId.ToString());
            return BuildTicket(accessToken);
        }

        // If query string is empty, we shall check for cookies
        if (Request.Cookies.TryGetValue("ApplicationSession", out string? postChartAccessToken)) {
            // TODO: Authenticate

            return BuildTicket("");
        }

        // HERE! It should be authenticated even if it's from anonymous user.
        return BuildTicket("");
    }

    private AuthenticateResult BuildTicket(string accessToken) {
        var claims = new List<Claim> {
            new(ClaimTypes.Name, "Session"),
            new(ClaimTypes.Expiration, "3600"),
            new(ClaimTypes.Anonymous, string.IsNullOrEmpty(accessToken) ? "true" : "false")
        };

        var identity = new ClaimsIdentity(claims, Scheme.Name);
        var principal = new GenericPrincipal(identity, null);
        var ticket = new AuthenticationTicket(principal, Scheme.Name);
        return AuthenticateResult.Success(ticket);
    }
}

public class SessionAuthenticationHandler : AuthenticationHandler<SessionAuthenticationSchemeOptions> {
    private readonly ILoginClient _loginClient;
    private readonly IMemoryCache _memoryCache;

    public SessionAuthenticationHandler(IOptionsMonitor<SessionAuthenticationSchemeOptions> optionsMonitor,
        ILoggerFactory logger,
        UrlEncoder encoder,
        ISystemClock clock,
        ILoginClient loginServerClient,
        IMemoryCache memoryCache) : base(optionsMonitor,
        logger,
        encoder,
        clock) {
        _loginClient = loginServerClient;
        _memoryCache = memoryCache;
    }

    protected override async Task<AuthenticateResult> HandleAuthenticateAsync() {
        if (Request.Query.TryGetValue("sessionId", out StringValues sessionId)) {
            // I'm hiding implementation details because of Discord's message limit

            string accessToken = ConvertSessionIdToAccessToken(sessionId.ToString());
            return BuildTicket(accessToken);
        }

        // If query string is empty, we shall check for cookies
        if (Request.Cookies.TryGetValue("ApplicationSession", out string? postChartAccessToken)) {
            // TODO: Authenticate

            return BuildTicket("");
        }

        // HERE! It should be authenticated even if it's from anonymous user.
        return BuildTicket("");
    }

    private AuthenticateResult BuildTicket(string accessToken) {
        var claims = new List<Claim> {
            new(ClaimTypes.Name, "Session"),
            new(ClaimTypes.Expiration, "3600"),
            new(ClaimTypes.Anonymous, string.IsNullOrEmpty(accessToken) ? "true" : "false")
        };

        var identity = new ClaimsIdentity(claims, Scheme.Name);
        var principal = new GenericPrincipal(identity, null);
        var ticket = new AuthenticationTicket(principal, Scheme.Name);
        return AuthenticateResult.Success(ticket);
    }
}

public class SessionAuthenticationHandler : AuthenticationHandler<SessionAuthenticationSchemeOptions> {
    private readonly ILoginClient _loginClient;
    private readonly IMemoryCache _memoryCache;

    public SessionAuthenticationHandler(IOptionsMonitor<SessionAuthenticationSchemeOptions> optionsMonitor,
        ILoggerFactory logger,
        UrlEncoder encoder,
        ISystemClock clock,
        ILoginClient loginServerClient,
        IMemoryCache memoryCache) : base(optionsMonitor,
        logger,
        encoder,
        clock) {
        _loginClient = loginServerClient;
        _memoryCache = memoryCache;
    }

    protected override async Task<AuthenticateResult> HandleAuthenticateAsync() {
        if (Request.Query.TryGetValue("sessionId", out StringValues sessionId)) {
            // I'm hiding implementation details because of Discord's message limit

            string accessToken = ConvertSessionIdToAccessToken(sessionId.ToString());
            return BuildTicket(accessToken);
        }

        // If query string is empty, we shall check for cookies
        if (Request.Cookies.TryGetValue("ApplicationSession", out string? postChartAccessToken)) {
            // TODO: Authenticate

            return BuildTicket("");
        }

        // HERE! It should be authenticated even if it's from anonymous user.
        return BuildTicket("");
    }

    private AuthenticateResult BuildTicket(string accessToken) {
        var claims = new List<Claim> {
            new(ClaimTypes.Name, "Session"),
            new(ClaimTypes.Expiration, "3600"),
            new(ClaimTypes.Anonymous, string.IsNullOrEmpty(accessToken) ? "true" : "false")
        };

        var identity = new ClaimsIdentity(claims, Scheme.Name);
        var principal = new GenericPrincipal(identity, null);
        var ticket = new AuthenticationTicket(principal, Scheme.Name);
        return AuthenticateResult.Success(ticket);
    }
}

public class SessionAuthenticationHandler : AuthenticationHandler<SessionAuthenticationSchemeOptions> {
    private readonly ILoginClient _loginClient;
    private readonly IMemoryCache _memoryCache;

    public SessionAuthenticationHandler(IOptionsMonitor<SessionAuthenticationSchemeOptions> optionsMonitor,
        ILoggerFactory logger,
        UrlEncoder encoder,
        ISystemClock clock,
        ILoginClient loginServerClient,
        IMemoryCache memoryCache) : base(optionsMonitor,
        logger,
        encoder,
        clock) {
        _loginClient = loginServerClient;
        _memoryCache = memoryCache;
    }

    protected override async Task<AuthenticateResult> HandleAuthenticateAsync() {
        if (Request.Query.TryGetValue("sessionId", out StringValues sessionId)) {
            // I'm hiding implementation details because of Discord's message limit

            string accessToken = ConvertSessionIdToAccessToken(sessionId.ToString());
            return BuildTicket(accessToken);
        }

        // If query string is empty, we shall check for cookies
        if (Request.Cookies.TryGetValue("ApplicationSession", out string? postChartAccessToken)) {
            // TODO: Authenticate

            return BuildTicket("");
        }

        // HERE! It should be authenticated even if it's from anonymous user.
        return BuildTicket("");
    }

    private AuthenticateResult BuildTicket(string accessToken) {
        var claims = new List<Claim> {
            new(ClaimTypes.Name, "Session"),
            new(ClaimTypes.Expiration, "3600"),
            new(ClaimTypes.Anonymous, string.IsNullOrEmpty(accessToken) ? "true" : "false")
        };

        var identity = new ClaimsIdentity(claims, Scheme.Name);
        var principal = new GenericPrincipal(identity, null);
        var ticket = new AuthenticationTicket(principal, Scheme.Name);
        return AuthenticateResult.Success(ticket);
    }
}

R

reinaldyrflOP•10/13/23, 7:11 AM

SessionAuthenticationMiddleware.cs

public static class SessionAuthenticationExtension {
    public static IApplicationBuilder UseSessionAuthentication(this IApplicationBuilder applicationBuilder,
        SessionAuthenticationOptions options) {
        return applicationBuilder.UseMiddleware<SessionAuthentication>(options);
    }
}

public static class SessionAuthenticationExtension {
    public static IApplicationBuilder UseSessionAuthentication(this IApplicationBuilder applicationBuilder,
        SessionAuthenticationOptions options) {
        return applicationBuilder.UseMiddleware<SessionAuthentication>(options);
    }
}

public static class SessionAuthenticationExtension {
    public static IApplicationBuilder UseSessionAuthentication(this IApplicationBuilder applicationBuilder,
        SessionAuthenticationOptions options) {
        return applicationBuilder.UseMiddleware<SessionAuthentication>(options);
    }
}

public static class SessionAuthenticationExtension {
    public static IApplicationBuilder UseSessionAuthentication(this IApplicationBuilder applicationBuilder,
        SessionAuthenticationOptions options) {
        return applicationBuilder.UseMiddleware<SessionAuthentication>(options);
    }
}

R

reinaldyrflOP•10/13/23, 7:11 AM

SessionAuthentication.cs

public class SessionAuthentication {
    private readonly RequestDelegate _next;
    private readonly string _policyName;

    public SessionAuthentication(RequestDelegate next, SessionAuthenticationOptions options) {
        _next = next;
        _policyName = options.PolicyName;
    }

    public async Task Invoke(HttpContext httpContext, IAuthorizationService authorizationService) {
        AuthorizationResult authorized = await authorizationService.AuthorizeAsync(
            httpContext.User, null, _policyName);

        if (!authorized.Succeeded) {
            await httpContext.ChallengeAsync();
            return;
        }

        await _next(httpContext);
    }
}

public class SessionAuthentication {
    private readonly RequestDelegate _next;
    private readonly string _policyName;

    public SessionAuthentication(RequestDelegate next, SessionAuthenticationOptions options) {
        _next = next;
        _policyName = options.PolicyName;
    }

    public async Task Invoke(HttpContext httpContext, IAuthorizationService authorizationService) {
        AuthorizationResult authorized = await authorizationService.AuthorizeAsync(
            httpContext.User, null, _policyName);

        if (!authorized.Succeeded) {
            await httpContext.ChallengeAsync();
            return;
        }

        await _next(httpContext);
    }
}

public class SessionAuthentication {
    private readonly RequestDelegate _next;
    private readonly string _policyName;

    public SessionAuthentication(RequestDelegate next, SessionAuthenticationOptions options) {
        _next = next;
        _policyName = options.PolicyName;
    }

    public async Task Invoke(HttpContext httpContext, IAuthorizationService authorizationService) {
        AuthorizationResult authorized = await authorizationService.AuthorizeAsync(
            httpContext.User, null, _policyName);

        if (!authorized.Succeeded) {
            await httpContext.ChallengeAsync();
            return;
        }

        await _next(httpContext);
    }
}

public class SessionAuthentication {
    private readonly RequestDelegate _next;
    private readonly string _policyName;

    public SessionAuthentication(RequestDelegate next, SessionAuthenticationOptions options) {
        _next = next;
        _policyName = options.PolicyName;
    }

    public async Task Invoke(HttpContext httpContext, IAuthorizationService authorizationService) {
        AuthorizationResult authorized = await authorizationService.AuthorizeAsync(
            httpContext.User, null, _policyName);

        if (!authorized.Succeeded) {
            await httpContext.ChallengeAsync();
            return;
        }

        await _next(httpContext);
    }
}

J

JakenVeina•10/13/23, 7:21 PM

you're on the right track with implementing your own

AuthenticationHandler

AuthenticationHandler

AuthenticationHandler

AuthenticationHandler class

J

JakenVeina•10/13/23, 7:21 PM

what's different about this approach than the ready-made Session auth scheme?

J

JakenVeina•10/13/23, 7:22 PM

I.E. Cookies

J

JakenVeina•10/13/23, 7:22 PM

you definitely do not need to be implementing your own middleware

A

Accord•10/14/23, 7:48 PM

Was this issue resolved? If so, run

/close

/close

otherwise I will mark this as stale and this post will be archived until there is new activity.

JJakenVeina you definitely do not need to be implementing your own middleware

R

reinaldyrflOP•10/15/23, 3:25 AM

I don't understand why I didn't need to implement my own middleware. Since for my current case, anonymous access should be possible for now.

R

reinaldyrflOP•10/15/23, 3:26 AM

Or.. should ai rename my scheme to anything other than "Session"?

J

JakenVeina•10/15/23, 3:34 AM

what does creating custom middleware have to do with allowing anonymous access?

J

JakenVeina•10/15/23, 3:34 AM

why do you think that anonymous access is only possible if you create custom middleware?

JJakenVeina why do you think that anonymous access is only possible if you create custom mid...

R

reinaldyrflOP•10/15/23, 11:21 AM

I got where you confused at. I'm creating allow anonymous access inside the middleware only for development purposes.

R

reinaldyrflOP•10/15/23, 11:21 AM

Yes I know that I can just toggle app.Configuration.Environment condition, but this is something I'd like to try (if this is possible)

R

reinaldyrflOP•10/15/23, 11:22 AM

So assuming I don't need to change my scheme name to anything else and just do authenticated access all the time, and you've said I'm on the right track.. then what other things that I need to know moving on?

J

JakenVeina•10/15/23, 5:21 PM

if that's what you want to go with, you should
A) name your middleware more appropriately, E.G.

DevelopmentAuthorizationMiddleware

DevelopmentAuthorizationMiddleware

DevelopmentAuthorizationMiddleware

DevelopmentAuthorizationMiddleware, and then make it actually do what you describe, cause right now doesn't allow anonymous access for anything
B) inject it like this:

if (environment is Environment.Development)
    app.UseMiddleware<DevelopmentAuthorizationMiddleware>()
else
    app.UseAuthorization();

if (environment is Environment.Development)
    app.UseMiddleware<DevelopmentAuthorizationMiddleware>()
else
    app.UseAuthorization();

if (environment is Environment.Development)
    app.UseMiddleware<DevelopmentAuthorizationMiddleware>()
else
    app.UseAuthorization();

if (environment is Environment.Development)
    app.UseMiddleware<DevelopmentAuthorizationMiddleware>()
else
    app.UseAuthorization();

J

JakenVeina•10/15/23, 5:22 PM

more likely, you can find a way to achieve this through just policies, or just.... don't do this at all

J

JakenVeina•10/15/23, 5:45 PM

if you just want to avoid having to sign in all the time in DVLP, there's ways to do that through config and tooling

JJakenVeina if that's what you want to go with, you should A) name your middleware more appr...

R

reinaldyrflOP•10/15/23, 10:17 PM

Thank you so much!

✅ How do you create custom authz/autho in ASP.NET Core?

Similar Threads

Similar Threads

Similar Threads