How do you create a custom AuthorizeAttribute in ASP.NET Core?

Asked 16/7, 2015 at 20:55 Answered 12/8, 2022 at 9:12

Solved c#asp.net-core asp.net-core-mvc authorization

657

I'm trying to make a custom authorization attribute in ASP.NET Core. In previous versions it was possible to override bool AuthorizeCore(HttpContextBase httpContext). But this no longer exists in AuthorizeAttribute.

What is the current approach to make a custom AuthorizeAttribute?

What I am trying to accomplish: I am receiving a session ID in the Header Authorization. From that ID I'll know whether a particular action is valid.

Hallagan answered 16/7, 2015 at 20:55 Comment(2)

I'm not sure how to do it, but MVC is open source. You could pull the github repo and look for implementations of IAuthorizationFilter. If I have time today I'll look for you and post an actual answer, but no promises. github repo: github.com/aspnet/Mvc – Slink 16/7, 2015 at 21:7

OK, out of time, but look for usages of AuthorizationPolicy in the MVC Repo, which uses AuthorizeAttribute, in the aspnet/Security repo, here: github.com/aspnet/Security. Alternately, look in the MVC repo for the namespace where the security stuff you care about seems to reside, which is Microsoft.AspNet.Authorization. Sorry I can't be more helpful. Good luck! – Slink 16/7, 2015 at 21:30

727

The approach recommended by the ASP.Net Core team is to use the new policy design which is fully documented here. The basic idea behind the new approach is to use the new [Authorize] attribute to designate a "policy" (e.g. [Authorize( Policy = "YouNeedToBe18ToDoThis")] where the policy is registered in the application's Startup.cs to execute some block of code (i.e. ensure the user has an age claim where the age is 18 or older).

The policy design is a great addition to the framework and the ASP.Net Security Core team should be commended for its introduction. That said, it isn't well-suited for all cases. The shortcoming of this approach is that it fails to provide a convenient solution for the most common need of simply asserting that a given controller or action requires a given claim type. In the case where an application may have hundreds of discrete permissions governing CRUD operations on individual REST resources ("CanCreateOrder", "CanReadOrder", "CanUpdateOrder", "CanDeleteOrder", etc.), the new approach either requires repetitive one-to-one mappings between a policy name and a claim name (e.g. options.AddPolicy("CanUpdateOrder", policy => policy.RequireClaim(MyClaimTypes.Permission, "CanUpdateOrder));), or writing some code to perform these registrations at run time (e.g. read all claim types from a database and perform the aforementioned call in a loop). The problem with this approach for the majority of cases is that it's unnecessary overhead.

While the ASP.Net Core Security team recommends never creating your own solution, in some cases this may be the most prudent option with which to start.

The following is an implementation which uses the IAuthorizationFilter to provide a simple way to express a claim requirement for a given controller or action:

public class ClaimRequirementAttribute : TypeFilterAttribute
{
    public ClaimRequirementAttribute(string claimType, string claimValue) : base(typeof(ClaimRequirementFilter))
    {
        Arguments = new object[] {new Claim(claimType, claimValue) };
    }
}

public class ClaimRequirementFilter : IAuthorizationFilter
{
    readonly Claim _claim;

    public ClaimRequirementFilter(Claim claim)
    {
        _claim = claim;
    }

    public void OnAuthorization(AuthorizationFilterContext context)
    {
        var hasClaim = context.HttpContext.User.Claims.Any(c => c.Type == _claim.Type && c.Value == _claim.Value);
        if (!hasClaim)
        {
            context.Result = new ForbidResult();
        }
    }
}


[Route("api/resource")]
public class MyController : Controller
{
    [ClaimRequirement(MyClaimTypes.Permission, "CanReadResource")]
    [HttpGet]
    public IActionResult GetResource()
    {
        return Ok();
    }
}

Kine answered 27/12, 2016 at 15:54 Comment(15)

HOw would one register the ClaimRequirementFilter? Is it handled automatically? – Madid 28/10, 2021 at 23:29

Weird that someone deleted the comments from all the answers here. Anyway, there is no registration required. The framework automatically invokes the filter by virtue of it extending TypeFilterAttribute. – Kine 3/12, 2021 at 21:25

This is great! Works in a controller. How to check in a Razor page? – Transcription 11/1, 2022 at 19:54

This approach is returning an InvalidOperationException if I do context.Result = new ForbiddenResult(); how are we supposed to do this in dotnet 6? – Fluorspar 27/5, 2022 at 8:51

As it is not possible to register all policies, there exists IAuthorizationPolicyProvider. You need to implement it. Please refer to the documentation here – Shuler 8/6, 2022 at 9:16

How does this work with multiple schemes? – Personnel 27/7, 2022 at 23:8

@jixtra You can include any logic you need in a filter. Are you wanting to perform logic based on current authorization filters? If so, you should be able to retrieve that by injecting IAuthenticationSchemeProvider. – Kine 29/7, 2022 at 7:4

The one thing missing in this solution is that you cannot use as Task based method inside the AuthorizationFilter since it doesn't provide a Task based interface to implement. – Amygdaloid 18/8, 2022 at 8:9

If you need async behavior, you'd implement IAsyncAuthorizationFilter – Kine 18/8, 2022 at 23:14

This works perfectly, but how would one use this in the view when needed? – Continuative 6/1, 2023 at 14:40

After I tried all possible options: custom IAuthorizationFilter, custom IAuthorizationPolicyProvider for dynamic policy, custom attribute,... in few days and with writing unit test. Our finial solution is using requirement with static policy. We also can use IAuthorizationPolicyProvider but we have to implement caching policy, because we store some cooked meta-data on IAuthorizationRequirement for next time check access also. That is blowdart answer below I'm the asp.net security person... – Disenfranchise 19/3, 2023 at 2:43

I was looking for exactly same thing..!! Perfectly working for me without modifying Program files. – Southsouthwest 17/4, 2023 at 3:8

@DerekGreer if we have, for example, 50 claims that we want to check in Authorize attribute, would we create 50 policies or do a custom attribute implementation? what would be a recommended way for that? – Microsporangium 27/7, 2023 at 20:57

The most straightforward way is to use GetEndpont method from HttpContext as suggested by @rtype – Leanoraleant 27/9, 2023 at 6:51

Thank you for THE definitive way to customize authorization – Sandler 7/12, 2023 at 16:33

321

I'm the asp.net security person. ~~Firstly let me apologize that none of this is documented yet outside of the music store sample or unit tests, and it's all still being refined in terms of exposed APIs.~~ Detailed documentation is here.

We don't want you writing custom authorize attributes. If you need to do that we've done something wrong. Instead, you should be writing authorization requirements.

Authorization acts upon Identities. Identities are created by authentication.

You say in comments you want to check a session ID in a header. Your session ID would be the basis for identity. If you wanted to use the Authorize attribute you'd write an authentication middleware to take that header and turn it into an authenticated ClaimsPrincipal. You would then check that inside an authorization requirement. Authorization requirements can be as complicated as you like, for example here's one that takes a date of birth claim on the current identity and will authorize if the user is over 18;

public class Over18Requirement : AuthorizationHandler<Over18Requirement>, IAuthorizationRequirement
{
  public override void Handle(AuthorizationHandlerContext context, Over18Requirement requirement)
  {
    if (!context.User.HasClaim(c => c.Type == ClaimTypes.DateOfBirth))
    {
      context.Fail();
      return;
    }

    var dobVal = context.User.FindFirst(c => c.Type == ClaimTypes.DateOfBirth).Value;
    var dateOfBirth = Convert.ToDateTime(dobVal);
    int age = DateTime.Today.Year - dateOfBirth.Year;
    if (dateOfBirth > DateTime.Today.AddYears(-age))
    {
      age--;
    }

    if (age >= 18)
    {
      context.Succeed(requirement);
    }
    else
    {
      context.Fail();
    }
  }
}

Then in your ConfigureServices() function you'd wire it up

services.AddAuthorization(options =>
{
    options.AddPolicy("Over18", 
        policy => policy.Requirements.Add(new Authorization.Over18Requirement()));
});

And finally, apply it to a controller or action method with

[Authorize(Policy = "Over18")]

Chigoe answered 16/7, 2015 at 21:57 Comment(10)

I have to comment that, all this is more complex than implementing a custom authorization method. I know how I want authorization to be done I could just go and write it in MVC 5, in MVC 6 they add a lot of "done" code that is actually more complex to understand than implementing the core "thing" itself. Gets me sitting in front of a page trying to figure something out instead of writing code right through, also a big pain for people who use RDBMS other than Microsoft's (or No-Sql). – Ita 10/12, 2015 at 17:24

I, like many others in these comments, am very disappointed that using attributes for authorization has been so greatly neutered over what was possible in Web API 2. Sorry guys, but your "requirement" abstraction fails to cover any case where we could previously use attribute constructor parameters to inform an underlying authorization algorithm. It used to be brain-dead simple to do something like [CustomAuthorize(Operator.And, Permission.GetUser, Permission.ModifyUser)]. I could use a single custom attribute in an infinite number of ways simply by modifying the constructor parameters. – Devalue 14/11, 2016 at 20:51

I am also shocked that the self-proclaimed "Lead ASP.NET security guy" is actually suggesting to use magic strings (hacking the meaning of IAuthorizeData.Policy) and custom policy providers to overcome this blatant oversight, rather than addressing it within the framework. I thought we weren't supposed to be creating our own implementations? You've left several of us no choice except to re-implement authorization from scratch (again), and this time without even the benefit of Web API's old Authorize attribute. Now we have to do it on the action filter or middleware level. – Devalue 14/11, 2016 at 20:54

“Life is really simple, but we insist on making it complicated.” - Confucious – Robertroberta 2/3, 2022 at 10:46

What about using dependent services here ? How can they be used within the handler ...? – Respondent 28/4, 2022 at 12:47

Is it possible to use enums for the Policy names instead of strings? – Antiicer 29/9, 2022 at 11:13

I have just found out that actions can't override the policies of the controller (I stand corrected), which forces me to create my own attribute. Please don't force us to stick to a limited way of doing things - you can't possibly foresee all the scenarios you need to cater for, so provide for flexibility. Development is not a religion - "best practice" can change over time and isn't a rule, it's just a guideline. – Phonoscope 23/8, 2023 at 17:41

Hello. In my case, I am developing an application that I need to authorize users by module. An administrator is able to set which modules a user has access to. That authorization will be saved in database. I don't see other way to accomplish this besides creating a custom AuthorizationAttribute. Do you? – Concerning 30/9, 2023 at 20:4

@Concerning there’s nothing wrong with implementing your own Attribute inheriting from the base AuthorizeAttribute overriding what you need; it is by design a valid approach and how you can then implement your own constructor injected values, enums (to stop using magic strings), etc. But do not implement your authorization logic in the Attribute — that is wrong and has numerous issues. The Attribute should only contain configuration of the auth settings (eg perhaps a Module Enum that is then set into the Roles), all logic to enforce this should be done in Middleware or in a Filter. – Lilytrotter 2/10, 2023 at 0:33

@Concerning but if you can leverage the existing Roles or Policy approach then no custom middleware or filter is needed. For example just set the correct role claims on your user, configure your custom Attribute to store the valid/acceptable on the base Attributes Roles collection and it will work. – Lilytrotter 2/10, 2023 at 0:42

179

It seems that with ASP.NET Core 2, you can again inherit AuthorizeAttribute, you just need to also implement IAuthorizationFilter (or IAsyncAuthorizationFilter):

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = true, Inherited = true)]
public class CustomAuthorizeAttribute : AuthorizeAttribute, IAuthorizationFilter
{
    private readonly string _someFilterParameter;

    public CustomAuthorizeAttribute(string someFilterParameter)
    {
        _someFilterParameter = someFilterParameter;
    }

    public void OnAuthorization(AuthorizationFilterContext context)
    {
        var user = context.HttpContext.User;

        if (!user.Identity.IsAuthenticated)
        {
            // it isn't needed to set unauthorized result 
            // as the base class already requires the user to be authenticated
            // this also makes redirect to a login page work properly
            // context.Result = new UnauthorizedResult();
            return;
        }

        // you can also use registered services
        var someService = context.HttpContext.RequestServices.GetService<ISomeService>();

        var isAuthorized = someService.IsUserAuthorized(user.Identity.Name, _someFilterParameter);
        if (!isAuthorized)
        {
            context.Result = new StatusCodeResult((int)System.Net.HttpStatusCode.Forbidden);
            return;
        }
    }
}

Reading answered 12/1, 2018 at 14:32 Comment(15)

So you can only use this to deny authorization, not grant it? – Caerleon 29/8, 2018 at 10:44

@Caerleon By granting, you mean overriding another authorization attribute? – Reading 30/8, 2018 at 11:5

I guess you could put it like that. I mean effectively allowing access to the resource. – Caerleon 30/8, 2018 at 15:6

AFAIK, access is allowed by default, so you need to explicitly deny it (e.g., by adding an AuthorizeAttribute). Check this question for more details: #17272922 – Reading 3/9, 2018 at 10:8

Also note, in suggested example one doesn't have to inherit from AuthorizeAttribute. You can inherit from Attribute and IAuthorizationFilter. This way you wouldn't get the following exception if some non-standard authentication mechanism is used: InvalidOperationException: No authenticationScheme was specified, and there was no DefaultChallengeScheme found. – Nonparous 30/11, 2018 at 8:39

@Nonparous I still receive that error if I choose to do a context.Result = new ForbidResult();. But I'm liking this option so far. – Beaming 1/12, 2018 at 5:23

Note that if your OnAuthorization implementation needs to await an async method, you should implement IAsyncAuthorizationFilter instead of IAuthorizationFilter otherwise your filter will execute synchronously and your controller action will execute regardless of the outcome of the filter. – Infer 23/3, 2019 at 20:47

I wanted to deny expired tokens, but accept anonymus as well, this helped me return unauthorized if the token is expired but accept no token. Thanks, this helped a lot – Detonate 10/4, 2020 at 17:35

Hey @Nonparous can you explain what's the difference between inheriting from Attribute instead of AuthorizeAttribute in this case. What's the reason why we get the InvalidOperationException: No authenticationSchema was specified, and there was no DefaultChallengeScheme found. when inheriting from AuthorizeAttribute and implementing IAuthorizationFilter? Thanks! – Real 22/7, 2021 at 22:38

@Real That comment was from 2.5 years ago. I don't remember. =) – Nonparous 24/7, 2021 at 0:19

Thanks for this. My simple scenario was "if Request is a preflight OPTIONS then respond with some headers and quit" and MS's "official way" is way overengineered to do this simple thing. – Jujube 26/8, 2021 at 20:0

using Microsoft.Extensions.DependencyInjection; For using T? GetService<T> – Eriha 22/6, 2022 at 18:50

@PeterBons Have you checked IAsyncAuthorizationFilter? – Reading 19/8, 2022 at 9:46

This doesn't work for me. _someFilterParameter is set during app startup, but in OnAuthorization() I have always null in _someFilterParameter. .NET 6 – Cascabel 4/10, 2022 at 18:26

Based on Derek Greer GREAT answer, i did it with enums.

Here is an example of my code:

public enum PermissionItem
{
    User,
    Product,
    Contact,
    Review,
    Client
}

public enum PermissionAction
{
    Read,
    Create,
}


public class AuthorizeAttribute : TypeFilterAttribute
{
    public AuthorizeAttribute(PermissionItem item, PermissionAction action)
    : base(typeof(AuthorizeActionFilter))
    {
        Arguments = new object[] { item, action };
    }
}

public class AuthorizeActionFilter : IAuthorizationFilter
{
    private readonly PermissionItem _item;
    private readonly PermissionAction _action;
    public AuthorizeActionFilter(PermissionItem item, PermissionAction action)
    {
        _item = item;
        _action = action;
    }
    public void OnAuthorization(AuthorizationFilterContext context)
    {
        bool isAuthorized = MumboJumboFunction(context.HttpContext.User, _item, _action); // :)

        if (!isAuthorized)
        {
            context.Result = new ForbidResult();
        }
    }
}

public class UserController : BaseController
{
    private readonly DbContext _context;

    public UserController( DbContext context) :
        base()
    {
        _logger = logger;
    }

    [Authorize(PermissionItem.User, PermissionAction.Read)]
    public async Task<IActionResult> Index()
    {
        return View(await _context.User.ToListAsync());
    }
}

Rhiannonrhianon answered 4/5, 2017 at 16:52 Comment(7)

Thanks for this. I created this post with a slightly different implementation and a request for validation #49551547 – Poulterer 29/3, 2018 at 8:13

U didnt show in your answer how one would apply this to the user ie how did u store the permission bit against the current user – Quincy 13/5, 2021 at 0:11

@rogue39nin, you can use Claims (context.HttpContext.User.Claims) to add some extra public metadata to your token. You can also use database, call external services or any other methods that allow you to get that information. – Rhiannonrhianon 13/5, 2021 at 15:12

@bruno.almeida, this works great. How would I use it in a Razor view though? – Transcription 12/1, 2022 at 16:33

Just info for blazor user; This IAuthorizationFilter and TypeFilterAttribute don't work in blazor, I already tried, and IAuhtorizationFilter never get called. – Dentate 14/4, 2022 at 13:43

How to filter the authentication scheme with this pattern? – Personnel 26/7, 2022 at 17:24

You can create your own AuthorizationHandler that will find custom attributes on your Controllers and Actions, and pass them to the HandleRequirementAsync method.

public abstract class AttributeAuthorizationHandler<TRequirement, TAttribute> : AuthorizationHandler<TRequirement> where TRequirement : IAuthorizationRequirement where TAttribute : Attribute
{
    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, TRequirement requirement)
    {
        var attributes = new List<TAttribute>();

        var action = (context.Resource as AuthorizationFilterContext)?.ActionDescriptor as ControllerActionDescriptor;
        if (action != null)
        {
            attributes.AddRange(GetAttributes(action.ControllerTypeInfo.UnderlyingSystemType));
            attributes.AddRange(GetAttributes(action.MethodInfo));
        }

        return HandleRequirementAsync(context, requirement, attributes);
    }

    protected abstract Task HandleRequirementAsync(AuthorizationHandlerContext context, TRequirement requirement, IEnumerable<TAttribute> attributes);

    private static IEnumerable<TAttribute> GetAttributes(MemberInfo memberInfo)
    {
        return memberInfo.GetCustomAttributes(typeof(TAttribute), false).Cast<TAttribute>();
    }
}

Then you can use it for any custom attributes you need on your controllers or actions. For example to add permission requirements. Just create your custom attribute.

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = true)]
public class PermissionAttribute : AuthorizeAttribute
{
    public string Name { get; }

    public PermissionAttribute(string name) : base("Permission")
    {
        Name = name;
    }
}

Then create a Requirement to add to your Policy

public class PermissionAuthorizationRequirement : IAuthorizationRequirement
{
    //Add any custom requirement properties if you have them
}

Then create the AuthorizationHandler for your custom attribute, inheriting the AttributeAuthorizationHandler that we created earlier. It will be passed an IEnumerable for all your custom attributes in the HandleRequirementsAsync method, accumulated from your Controller and Action.

public class PermissionAuthorizationHandler : AttributeAuthorizationHandler<PermissionAuthorizationRequirement, PermissionAttribute>
{
    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, PermissionAuthorizationRequirement requirement, IEnumerable<PermissionAttribute> attributes)
    {
        foreach (var permissionAttribute in attributes)
        {
            if (!await AuthorizeAsync(context.User, permissionAttribute.Name))
            {
                return;
            }
        }

        context.Succeed(requirement);
    }

    private Task<bool> AuthorizeAsync(ClaimsPrincipal user, string permission)
    {
        //Implement your custom user permission logic here
    }
}

And finally, in your Startup.cs ConfigureServices method, add your custom AuthorizationHandler to the services, and add your Policy.

        services.AddSingleton<IAuthorizationHandler, PermissionAuthorizationHandler>();

        services.AddAuthorization(options =>
        {
            options.AddPolicy("Permission", policyBuilder =>
            {
                policyBuilder.Requirements.Add(new PermissionAuthorizationRequirement());
            });
        });

Now you can simply decorate your Controllers and Actions with your custom attribute.

[Permission("AccessCustomers")]
public class CustomersController
{
    [Permission("AddCustomer")]
    IActionResult AddCustomer([FromBody] Customer customer)
    {
        //Add customer
    }
}

Fibula answered 26/11, 2016 at 23:46 Comment(14)

This is quite overengineered... I solved the same using a simple AuthorizationFilterAttribute wich receives a parameter. You don't need reflection for this, it seems even more artificious than the "official" solution (that I find quite poor). – Sectarian 28/11, 2016 at 10:20

@Sectarian I couldn't find much information on AuthorizationFilters in ASP.NET Core. The official documentation page says they are currently working on this topic. learn.microsoft.com/en-us/aspnet/core/security/authorization/… – Fibula 28/11, 2016 at 21:13

@Sectarian Can you please share your solution, if there is a simpler way to achieve this I would love to know. – Fibula 29/11, 2016 at 2:55

I actually like this solution, it leverages the new policy system and combines Attributes to provide a pretty clean solution. I use a global Authorize attribute to ensure the user is logged in, then apply a permission policy where required. – Olette 21/6, 2017 at 12:54

One thing to note the use of UnderlyingSystemType above does not compile, but removing it seems to work. – Olette 21/6, 2017 at 12:54

I'm trying this solution out, but in HandleRequirementAsync the action property becomes null, and then no attributes get set. – Cyclopedia 12/10, 2020 at 9:13

I found the solution to my problem here: https://mcmap.net/q/64959/-how-can-i-get-route-attributes-dotnet-core-3 – Cyclopedia 12/10, 2020 at 12:42

This solution is great. Reminds me of the IdentityServer3 ResourceAuthorization. It looks like AuthorizeAsync handles the permission checking logic. Do you have example use cases for what PermissionAuthorizationRequirement would be used for? Going to policy based requirements is new for me. – Spongioblast 18/12, 2020 at 16:50

@Spongioblast Requirements are, typically, declarative ways to specifying what needs to be fulfilled for a given Policy. This example is a bit different because the PermissionAuthorizationRequirement is not specifying the requirement data, instead it is being used to "glue" a Policy ("Permission") to a Requirement Handler (PermissionAuthorizationHandler). In this example, the attributes are storing the declarative requirements, instead of having 100s of specific Requirement <-> Policy mappings. – Clari 19/12, 2020 at 22:41

How to use this with multiple schemes? – Personnel 27/7, 2022 at 23:9

I'm returning return new Task<bool>(() => { return true; }); in the AuthorizeAsync() as a test. But it seems afterwards it gets stuck and nothing happens. Am I missing something? – Roca 16/9, 2022 at 13:52

I like this solution, but in PermissionAuthorizationHandler the attributes always = 0, could someone help me in figure it out, why? – Taliped 18/1, 2023 at 17:0

I found why because I use Blazor and Blazor uses Components no Controllers in this case var action = (context.Resource as AuthorizationFilterContext)?.ActionDescriptor as ControllerActionDescriptor; – Taliped 18/1, 2023 at 17:36

For Blazor needs to use this one var pageTypeList = Assembly.GetExecutingAssembly().GetTypes().Where(t => t.GetCustomAttribute(typeof(PermissionAttribute)) != null); – Taliped 18/1, 2023 at 18:46

I decided to add another simple answer. B/c I find most of these answers a little overengineered. And also because I needed a way to GRANT authorization, not just DENY it. Most of the answers here offer a way to "tighten" security, but I wanted to "loosen" it. For example: "if some application setting is configured, then allow access to anonymous users".

public class MyAuthAttribute : Attribute, IAuthorizationFilter
{
    public void OnAuthorization(AuthorizationFilterContext context)
    {
        //check access 
        if (CheckPermissions())
        {
            //all good, add optional code if you want. Or don't
        }
        else
        {
            //DENIED!
            //return "ChallengeResult" to redirect to login page (for example)
            context.Result = new ChallengeResult(CookieAuthenticationDefaults.AuthenticationScheme);
        }
    }
}

That's it.

No need to mess with "policies", "claims", "handlers" and other [beep]

Usage:

// GET api/Get/5
[MyAuth]
public ActionResult<string> Get(int id)
{
    return "blahblah";
}

A little (optional) update from 2024

@Nikstr has asked in the comments how to use dependency injection with this. Check it out:

//basically same class as above, but just a filter, not an attribute
public class MyAuthFilter : IAuthorizationFilter
{
    private SomeService _service; //let's say you need a service for your auth

    //dependency ibjection in constructor
    public MyAuthAttribute(SomeService service)
    {
        _service = service;
    }

    public void OnAuthorization(AuthorizationFilterContext context)
    {
        //check access 
        if (CheckPermissions())
        {
            //all good, add optional code if you want. Or don't
        }
        else
        {
            //DENIED!
            context.Result = new ChallengeResult(CookieAuthenticationDefaults.AuthenticationScheme);
        }
    }
}

Now make sure you register this service in Startup.cs somethinng like .AddScoped(blahblah)

However usage is slightly different:

// GET api/Get/5
[TypeFilter<MyAuthFilter>] // <-- note this
public ActionResult<string> Get(int id)

TypeFilter simply tells the Framework to instantiate the attirbute every time and use DI when doing so. Just google for "TypeFilterAttribute" docs for more info

P.S.

If you don't like the uglyness of this line [TypeFilter<MyAuthFilter>] you can simply inherit from TypeFilter like this

//empty one-liner "wrapper" class that does nothing
public class MyAuthAttribute : TypeFilterAttribute<MyAuthFilter> { }

And then use it like before

[MyAuth] // <-- looks simpler huh
public ActionResult<string> Get(int id)

Jujube answered 29/8, 2021 at 16:31 Comment(5)

Thank you, at last a simple solution! Quite hard to find among all the over-engineered mess. – Streetwalker 18/2, 2022 at 12:17

The one thing missing in this solution is that you cannot use as Task based method inside the AuthorizationFilter since it doesn't provide a Task based interface to implement. That is why this very simple solution doesn't always work – Amygdaloid 18/8, 2022 at 8:10

@PeterBons for async - use IAsyncAuthorizationFilter – Jujube 19/8, 2022 at 12:57

Seems the major drawback of filters that we cannot use DI - meaning, normally, not in hacky way. – Gambell 14/3, 2023 at 22:45

@Gambell I just updated the answer for DI., Check it out. Sorry it took me forever to notice your comment – Jujube 17/2 at 16:51

What is the current approach to make a custom AuthorizeAttribute

For pure authorization scenarios (like restricting access to specific users only), the recommended approach is to use the new authorization block: https://github.com/aspnet/MusicStore/blob/1c0aeb08bb1ebd846726232226279bbe001782e1/samples/MusicStore/Startup.cs#L84-L92

public class Startup
{
    public void ConfigureServices(IServiceCollection services)
    {
        services.Configure<AuthorizationOptions>(options =>
        {
            options.AddPolicy("ManageStore", policy => policy.RequireClaim("Action", "ManageStore"));
        });
    }
}

public class StoreController : Controller
{
    [Authorize(Policy = "ManageStore"), HttpGet]
    public async Task<IActionResult> Manage() { ... }
}

For authentication, it's best handled at the middleware level.

What are you trying to achieve exactly?

Kibitzer answered 16/7, 2015 at 21:4 Comment(11)

I am receiving a session ID in the Header Authorization. From that ID I'll know whether a particular action is valid. – Hallagan 16/7, 2015 at 21:9

Then that's not an authorization concern. I guess your "session ID" is actually a token containing the identity of the caller: this should definitely be done at the middleware level. – Southland 16/7, 2015 at 21:12

It isn't authentication (establishing who the user is) but it is authorization (determining if a user should have access to a resource). So where are you suggesting I look to solve this? – Hallagan 16/7, 2015 at 21:18

Curious: how are you creating your session identifiers? – Southland 16/7, 2015 at 21:19

@jltrem, agreed, what you are talking about is authorization, not authentication. – Slink 16/7, 2015 at 21:21

@Pinpoint I'm not creating them. I'm just the guy in the middle providing access to another system. – Hallagan 16/7, 2015 at 21:22

@EricBurcham a session identifier is definitely a way to identity (= authenticate) a user, I'm afraid. – Southland 16/7, 2015 at 21:22

@Hallagan but you're extracting some information from the identifier to determine who's the caller, right? – Southland 16/7, 2015 at 21:23

@Pinpoint I am not. I query another system for that info. That system authenticates (determines the user) and authorizes (tells me what that user can access). Right now I have it hacked to work by calling a method in each controller action to have the other system verify the session. I'd like to have this automatically happen via an attribute. – Hallagan 16/7, 2015 at 21:32

I am not. I query another system for that info... well, you're asking an external provider to authenticate your users, but that's exactly the same thing, I'm afraid. You should consider creating a new middleware for the external authentication part (it would query your remote system and retrieve user's identity before creating a new ClaimsPrincipal containing the roles or the actions the user is allowed to query) and adding a new authorization policy to ensure the caller has a role/claim allowing him/her to make the request. – Southland 16/7, 2015 at 21:38

Meanwhile this can be related to the question, is misspointed, and should be a comment at least. – Dissimilitude 14/12, 2021 at 16:57

The modern way is AuthenticationHandlers

in startup.cs add

services.AddAuthentication("BasicAuthentication").AddScheme<AuthenticationSchemeOptions, BasicAuthenticationHandler>("BasicAuthentication", null);

public class BasicAuthenticationHandler : AuthenticationHandler<AuthenticationSchemeOptions>
    {
        private readonly IUserService _userService;

        public BasicAuthenticationHandler(
            IOptionsMonitor<AuthenticationSchemeOptions> options,
            ILoggerFactory logger,
            UrlEncoder encoder,
            ISystemClock clock,
            IUserService userService)
            : base(options, logger, encoder, clock)
        {
            _userService = userService;
        }

        protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
        {
            if (!Request.Headers.ContainsKey("Authorization"))
                return AuthenticateResult.Fail("Missing Authorization Header");

            User user = null;
            try
            {
                var authHeader = AuthenticationHeaderValue.Parse(Request.Headers["Authorization"]);
                var credentialBytes = Convert.FromBase64String(authHeader.Parameter);
                var credentials = Encoding.UTF8.GetString(credentialBytes).Split(new[] { ':' }, 2);
                var username = credentials[0];
                var password = credentials[1];
                user = await _userService.Authenticate(username, password);
            }
            catch
            {
                return AuthenticateResult.Fail("Invalid Authorization Header");
            }

            if (user == null)
                return AuthenticateResult.Fail("Invalid User-name or Password");

            var claims = new[] {
                new Claim(ClaimTypes.NameIdentifier, user.Id.ToString()),
                new Claim(ClaimTypes.Name, user.Username),
            };
            var identity = new ClaimsIdentity(claims, Scheme.Name);
            var principal = new ClaimsPrincipal(identity);
            var ticket = new AuthenticationTicket(principal, Scheme.Name);

            return AuthenticateResult.Success(ticket);
        }
    }

UPDATE .NET 8

using Microsoft.AspNetCore.Authentication;
using Microsoft.Extensions.Options;

using System.Net.Http.Headers;
using System.Security.Claims;
using System.Text;
using System.Text.Encodings.Web;

namespace LicenseWeppApp.Infrastructure;
internal class CustomBasicAuthenticationHandler : AuthenticationHandler<AuthenticationSchemeOptions>
{
    private readonly IOptionsMonitor<AuthenticationSchemeOptions> _options;
    private readonly ILogger _logger;
    private readonly UrlEncoder _encoder;
    IUserService _userService;

    public CustomBasicAuthenticationHandler(IOptionsMonitor<AuthenticationSchemeOptions> options, ILoggerFactory logger, UrlEncoder encoder, IUserService userService)
        : base(options, logger, encoder)
    {
        _options = options;
        _logger = logger.CreateLogger("LicenseWeppApp.Infrastructure.CustomBasicAuthenticationHandler");//create a logger like this if you use obfuscation
        _encoder = encoder;
        _userService = userService;

    }
    protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
    {

        if (!Request.Headers.TryGetValue("Authorization", out Microsoft.Extensions.Primitives.StringValues value) || value.Count == 0)
            return AuthenticateResult.Fail("Missing Authorization Header");

        User? user = null;
        try
        {
            var authHeader = AuthenticationHeaderValue.Parse(value);
            var credentialBytes = Convert.FromBase64String(authHeader.Parameter);
            var credentials = Encoding.UTF8.GetString(credentialBytes).Split(':', 2);
            var username = credentials[0];
            var password = credentials[1];
            user = await _userService.Authenticate(username, password);
        }
        catch
        {
            _logger.LogInformation("Invalid Authorization Header {value}", value.ToString());
            return AuthenticateResult.Fail("Invalid Authorization Header");
        }

        if (user == null)
            return AuthenticateResult.Fail("Invalid User-name or Password");

        var claims = new[] {
                new Claim(type: ClaimTypes.NameIdentifier, value:user.ID.ToString()),
                new Claim(type: ClaimTypes.Name, value:user.UserName),
        };

        var identity = new ClaimsIdentity(claims, Scheme.Name);
        var principal = new ClaimsPrincipal(identity);
        var ticket = new AuthenticationTicket(principal, Scheme.Name);

        return AuthenticateResult.Success(ticket);

    }
}

IUserService is a service that you make where you have user name and password. basically it returns a user class that you use to map your claims on.

var claims = new[] {
                new Claim(ClaimTypes.NameIdentifier, user.Id.ToString()),
                new Claim(ClaimTypes.Name, user.Username),
            };

Then you can query these claims and her any data you mapped, ther are quite a few, have a look at ClaimTypes class

you can use this in an extension method an get any of the mappings

public int? GetUserId()
{
   if (context.User.Identity.IsAuthenticated)
    {
       var id=context.User.FindFirst(ClaimTypes.NameIdentifier);
       if (!(id is null) && int.TryParse(id.Value, out var userId))
            return userId;
     }
      return new Nullable<int>();
 }

This new way, i think is better than the old way as shown here, both work

public class BasicAuthenticationAttribute : AuthorizationFilterAttribute
{
    public override void OnAuthorization(HttpActionContext actionContext)
    {
        if (actionContext.Request.Headers.Authorization != null)
        {
            var authToken = actionContext.Request.Headers.Authorization.Parameter;
            // decoding authToken we get decode value in 'Username:Password' format
            var decodeauthToken = System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(authToken));
            // spliting decodeauthToken using ':'
            var arrUserNameandPassword = decodeauthToken.Split(':');
            // at 0th postion of array we get username and at 1st we get password
            if (IsAuthorizedUser(arrUserNameandPassword[0], arrUserNameandPassword[1]))
            {
                // setting current principle
                Thread.CurrentPrincipal = new GenericPrincipal(new GenericIdentity(arrUserNameandPassword[0]), null);
            }
            else
            {
                actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized);
            }
        }
        else
        {
            actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized);
        }
    }

    public static bool IsAuthorizedUser(string Username, string Password)
    {
        // In this method we can handle our database logic here...
        return Username.Equals("test") && Password == "test";
    }
}

Togliatti answered 17/1, 2020 at 21:16 Comment(7)

This brilliant answer just works like a charm! Thank you for that and I wish you it will get upvoted, as it is the best answer I have found after like a six hours of searching through blogs, documentation and stack for Basic authentication plus Role authorization. – Carbon 30/3, 2020 at 11:4

@PiotrŚródka, you are welcome, please note that the answer is a little "simplified", test if you have a ':' in the text as a malicious user could try and crash your service by simply not playing nice ending in an index out of range exception. as always test what is given to you by external sources – Togliatti 30/3, 2020 at 11:11

This was really helpful. The other thing I needed to do was make sure app.UseAuthentication(); was before app.UseAuthorization(); – Ozonosphere 21/8, 2020 at 21:19

What if I wanted to call an external authentication where I get a token that has an expiration time? How would I handle the authorization? In your case you make a call to the database to retrieve the user, if not retrieved then the user is unauthorized. I want to do this with a token but I dont want to save it in the database. – Hinder 10/3, 2022 at 12:37

@Florent, the code you like to execute is your, how you compare it is yours, feel free to call any service you like – Togliatti 10/3, 2022 at 15:3

@RosdiKasim: And yet it inherits from AuthorizationFilterAttribute. – Symbolist 1/9, 2023 at 17:15

I'm not an expert but it seems to me that this answer confuses authentication with authorization. The CustomBasicAuthenticationHandler is as, the name suggests, verifying that a correct username and password has been provided. That is authentication. What the AuthorizeAttribute does, and what the OP appears to be asking about, is control access to a particulr resouce within the application. That is authorization, and creating a custom AuthorizeAttribute is still the most suitable approach. – Cello 8/2 at 16:0

If anyone just wants to validate a bearer token in the authorize phase using the current security practices you can,

add this to your Startup/ConfigureServices

    services.AddSingleton<IAuthorizationHandler, BearerAuthorizationHandler>();
    services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer();

    services.AddAuthorization(options => options.AddPolicy("Bearer",
        policy => policy.AddRequirements(new BearerRequirement())
        )
    );

and this in your codebase,

public class BearerRequirement : IAuthorizationRequirement
{
    public async Task<bool> IsTokenValid(SomeValidationContext context, string token)
    {
        // here you can check if the token received is valid 
        return true;
    }
}

public class BearerAuthorizationHandler : AuthorizationHandler<BearerRequirement> 
{

    public BearerAuthorizationHandler(SomeValidationContext thatYouCanInject)
    {
       ...
    }

    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, BearerRequirement requirement)
    {
        var authFilterCtx = (Microsoft.AspNetCore.Mvc.Filters.AuthorizationFilterContext)context.Resource;
        string authHeader = authFilterCtx.HttpContext.Request.Headers["Authorization"];
        if (authHeader != null && authHeader.Contains("Bearer"))
        {
            var token = authHeader.Replace("Bearer ", string.Empty);
            if (await requirement.IsTokenValid(thatYouCanInject, token))
            {
                context.Succeed(requirement);
            }
        }
    }
}

If the code doesn't reach context.Succeed(...) it will Fail anyway (401).

And then in your controllers you can use

 [Authorize(Policy = "Bearer", AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]

Khachaturian answered 5/10, 2019 at 15:11 Comment(2)

Why would you choose to perform your own validation of the token when the JwtBearer middleware already takes care of this? It also puts the correct content in the WWW-Authenticate response header for an auth/token validation/expiration failure. If you want access to the authentication pipeline there are specific events you can tap into on AddJwtBearer options (OnAuthenticationFailed, OnChallenge, OnMessageReceived and OnTokenValidated). – Diocese 21/1, 2020 at 10:40

This is infinitely simpler than any other solution I've seen. Especially for simple api key use cases. One update: for 3.1 the cast to AuthorizationFilterContext is no longer valid because of the endpoint routing stuff. You need to grab the context via HttpContextAccessor. – Tetrad 13/5, 2020 at 17:6

The below code worked for me in .Net Core 5

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class AccessAuthorizationAttribute : AuthorizeAttribute, IAuthorizationFilter
{
    public string Module { get; set; } //Permission string to get from controller

    public AccessAuthorizationAttribute(string module)
    {
        Module = module;
    }
    public void OnAuthorization(AuthorizationFilterContext context)
    {
        //Validate if any permissions are passed when using attribute at controller or action level

        if (string.IsNullOrEmpty(Module))
        {
            //Validation cannot take place without any permissions so returning unauthorized
            context.Result = new UnauthorizedResult();
            return;
        }
       
        if (hasAccess)
        {
            return;
        }

        context.Result = new UnauthorizedResult();
        return;
    }
}

Titter answered 27/4, 2021 at 6:37 Comment(1)

When authorization fails, you want to return 403, not 401. – Autostrada 26/5, 2021 at 14:33

The accepted answer (https://mcmap.net/q/63791/-how-do-you-create-a-custom-authorizeattribute-in-asp-net-core) is not realistically maintainable or suitable because "CanReadResource" is being used as a claim (but should essentially be a policy in reality, IMO). The approach at the answer is not OK in the way it was used, because if an action method requires many different claims setups, then with that answer you would have to repeatedly write something like...

[ClaimRequirement(MyClaimTypes.Permission, "CanReadResource")] 
[ClaimRequirement(MyClaimTypes.AnotherPermision, "AnotherClaimVaue")]
//and etc. on a single action.

So, imagine how much coding that would take. Ideally, "CanReadResource" is supposed to be a policy that uses many claims to determine if a user can read a resource.

What I do is I create my policies as an enumeration and then loop through and set up the requirements like thus...

services.AddAuthorization(authorizationOptions =>
        {
            foreach (var policyString in Enum.GetNames(typeof(Enumerations.Security.Policy)))
            {
                authorizationOptions.AddPolicy(
                    policyString,
                    authorizationPolicyBuilder => authorizationPolicyBuilder.Requirements.Add(new DefaultAuthorizationRequirement((Enumerations.Security.Policy)Enum.Parse(typeof(Enumerations.Security.Policy), policyWrtString), DateTime.UtcNow)));

      /* Note that thisn does not stop you from 
          configuring policies directly against a username, claims, roles, etc. You can do the usual.
     */
            }
        });

The DefaultAuthorizationRequirement class looks like...

public class DefaultAuthorizationRequirement : IAuthorizationRequirement
{
    public Enumerations.Security.Policy Policy {get; set;} //This is a mere enumeration whose code is not shown.
    public DateTime DateTimeOfSetup {get; set;} //Just in case you have to know when the app started up. And you may want to log out a user if their profile was modified after this date-time, etc.
}

public class DefaultAuthorizationHandler : AuthorizationHandler<DefaultAuthorizationRequirement>
{
    private IAServiceToUse _aServiceToUse;

    public DefaultAuthorizationHandler(
        IAServiceToUse aServiceToUse
        )
    {
        _aServiceToUse = aServiceToUse;
    }

    protected async override Task HandleRequirementAsync(AuthorizationHandlerContext context, DefaultAuthorizationRequirement requirement)
    {
        /*Here, you can quickly check a data source or Web API or etc. 
           to know the latest date-time of the user's profile modification...
        */
        if (_aServiceToUse.GetDateTimeOfLatestUserProfileModication > requirement.DateTimeOfSetup)
        {
            context.Fail(); /*Because any modifications to user information, 
            e.g. if the user used another browser or if by Admin modification, 
            the claims of the user in this session cannot be guaranteed to be reliable.
            */
            return;
        }

        bool shouldSucceed = false; //This should first be false, because context.Succeed(...) has to only be called if the requirement specifically succeeds.

        bool shouldFail = false; /*This should first be false, because context.Fail() 
        doesn't have to be called if there's no security breach.
        */

        // You can do anything.
        await doAnythingAsync();

       /*You can get the user's claims... 
          ALSO, note that if you have a way to priorly map users or users with certain claims 
          to particular policies, add those policies as claims of the user for the sake of ease. 
          BUT policies that require dynamic code (e.g. checking for age range) would have to be 
          coded in the switch-case below to determine stuff.
       */

        var claims = context.User.Claims;

        // You can, of course, get the policy that was hit...
        var policy = requirement.Policy

        //You can use a switch case to determine what policy to deal with here...
        switch (policy)
        {
            case Enumerations.Security.Policy.CanReadResource:
                 /*Do stuff with the claims and change the 
                     value of shouldSucceed and/or shouldFail.
                */
                 break;
            case Enumerations.Security.Policy.AnotherPolicy:
                 /*Do stuff with the claims and change the 
                    value of shouldSucceed and/or shouldFail.
                 */
                 break;
                // Other policies too.

            default:
                 throw new NotImplementedException();
        }

        /* Note that the following conditions are 
            so because failure and success in a requirement handler 
            are not mutually exclusive. They demand certainty.
        */

        if (shouldFail)
        {
            context.Fail(); /*Check the docs on this method to 
            see its implications.
            */
        }                

        if (shouldSucceed)
        {
            context.Succeed(requirement); 
        } 
     }
}

Note that the code above can also enable pre-mapping of a user to a policy in your data store. So, when composing claims for the user, you basically retrieve the policies that had been pre-mapped to the user directly or indirectly (e.g. because the user has a certain claim value and that claim value had been identified and mapped to a policy, such that it provides automatic mapping for users who have that claim value too), and enlist the policies as claims, such that in the authorization handler, you can simply check if the user's claims contain requirement.Policy as a Value of a Claim item in their claims. That is for a static way of satisfying a policy requirement, e.g. "First name" requirement is quite static in nature. So, for the example above (which I had forgotten to give example on Authorize attribute in my earlier updates to this answer), using the policy with Authorize attribute is like as follows, where ViewRecord is an enum member:

[Authorize(Policy = nameof(Enumerations.Security.Policy.ViewRecord))]

A dynamic requirement can be about checking age range, etc. and policies that use such requirements cannot be pre-mapped to users.

An example of dynamic policy claims checking (e.g. to check if a user is above 18 years old) is already at the answer given by @blowdart (https://mcmap.net/q/63791/-how-do-you-create-a-custom-authorizeattribute-in-asp-net-core).

PS: I typed this on my phone. Pardon any typos and lack of formatting.

Impinge answered 16/7, 2015 at 20:56 Comment(6)

imho, the Policy is more a static validation procedure with custom logic and currently it cannot be parameterized as easy as it was in old AuthorizeAttribute. You have to generate all possible instances of DefaultAuthorizationRequirement during app startup to be able to use them in controllers. I would prefer to have one policy that can accept some scalar parameters (potentially infinite combination). This way I don't break Open-Closed principle. And your example does. (anyway I appreciate it) – Subbasement 9/9, 2020 at 20:16

@neleus, you have to use a requirement that accepts a resource. For example, in the original question, that resource is the SessionID. In your comment, the resource is the scalar property you're talking about. So, inside the requirement, the resource would be evaluated against the claims of the users and then determine if the authorization should succeed or fail. – Impinge 10/9, 2020 at 14:33

@neleus, already, the user should have been authenticated and also authorized to call the controller action, but the requirement I just described would then be used inside the controller action to determine if the user can go further based on the information contained in the resource provided to it. The resource can come from request headers, query string, data fetched from database, etc. I can write the code if you show interest in such. – Impinge 10/9, 2020 at 14:34

do you mean the specific authorization decisions are rather job of the controller than requirements? – Subbasement 23/9, 2020 at 8:58

@Subbasement Not exactly, you're only calling the code from inside the controller action. But another thing you can do is register IHttpContextAccessor as a service (by services.AddHttpContextAccessor()), and then inject it into the AuthorizationHandler for the Requirement. From IHttpContextAccessor, you can get HttpContext.GetRouteData() and then retrieve the route data you want (e.g. the Seesion ID in the discussion). Beware of nulls. – Impinge 26/9, 2020 at 21:41

I don't really see what this solves. I would personally avoid passing in two things here and just use params to pass in however many permissions enums are required. If you need a ton of permissions passed in then I could see policy creation via these static enums as okay. This isn't that difficult, either you need policies or you don't. There is no "right" way. – Yandell 6/1, 2021 at 22:31

As of this writing I believe this can be accomplished with the IClaimsTransformation interface in asp.net core 2 and above. I just implemented a proof of concept which is sharable enough to post here.

public class PrivilegesToClaimsTransformer : IClaimsTransformation
{
    private readonly IPrivilegeProvider privilegeProvider;
    public const string DidItClaim = "http://foo.bar/privileges/resolved";

    public PrivilegesToClaimsTransformer(IPrivilegeProvider privilegeProvider)
    {
        this.privilegeProvider = privilegeProvider;
    }

    public async Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
    {
        if (principal.Identity is ClaimsIdentity claimer)
        {
            if (claimer.HasClaim(DidItClaim, bool.TrueString))
            {
                return principal;
            }

            var privileges = await this.privilegeProvider.GetPrivileges( ... );
            claimer.AddClaim(new Claim(DidItClaim, bool.TrueString));

            foreach (var privilegeAsRole in privileges)
            {
                claimer.AddClaim(new Claim(ClaimTypes.Role /*"http://schemas.microsoft.com/ws/2008/06/identity/claims/role" */, privilegeAsRole));
            }
        }

        return principal;
    }
}

To use this in your Controller just add an appropriate [Authorize(Roles="whatever")] to your methods.

[HttpGet]
[Route("poc")]
[Authorize(Roles = "plugh,blast")]
public JsonResult PocAuthorization()
{
    var result = Json(new
    {
        when = DateTime.UtcNow,
    });

    result.StatusCode = (int)HttpStatusCode.OK;

    return result;
}

In our case every request includes an Authorization header that is a JWT. This is the prototype and I believe we will do something super close to this in our production system next week.

Future voters, consider the date of writing when you vote. As of today, this works on my machine.™ You will probably want more error handling and logging on your implementation.

Altocumulus answered 5/3, 2020 at 22:30 Comment(2)

What about ConfigureServices? Is it needed to add something? – Edith 6/3, 2020 at 13:26

As discussed elsewhere, yes. – Altocumulus 6/3, 2020 at 20:1

Here's a simple 5-step guide for how to implement custom role authorization using policies for all you copy and pasters out there :) . I used these docs.

Create a requirement:

public class RoleRequirement : IAuthorizationRequirement
{
    public string Role { get; set; }
}

Create a handler:

public class RoleHandler : AuthorizationHandler<RoleRequirement>
{
    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, RoleRequirement requirement)
    {
        var requiredRole = requirement.Role;

        //custom auth logic
        //  you can use context to access authenticated user,
        //  you can use dependecy injection to call custom services 

        var hasRole = true;

        if (hasRole)
        {
            context.Succeed(requirement);
        }
        else
        {
            context.Fail(new AuthorizationFailureReason(this, $"Role {requirement.Role} missing"));
        }
    }
}

Add the handler in Program.cs:

builder.Services.AddSingleton<IAuthorizationHandler, RoleHandler>();

Add a policy with your role requirement in program.cs:

builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("Read", policy => policy.Requirements.Add(new RoleRequirement{Role = "ReadAccess_Custom_System"}));
});

Use your policy:

[Authorize("Read")]
public class ExampleController : ControllerBase
{
}

Priedieu answered 12/8, 2022 at 9:12 Comment(2)

If someone would ever interested, requirement handlers can be registered with any service lifetime, not necessarily singleton. learn.microsoft.com/en-us/aspnet/core/security/authorization/… – Gambell 17/3, 2023 at 8:31

Also, if request is unauthorized, result will return exception No authenticationScheme was specified, and there was no DefaultChallengeScheme found instead of some correct result code. So, 6th step is required: AuthorizationMiddlewareResultHandler. Good example is here #35657328 from @Ogglas – Gambell 17/3, 2023 at 15:37

Just adding to the great answer from @Shawn. If you are using dotnet 5 you need to update the class to be:

public abstract class AttributeAuthorizationHandler<TRequirement, TAttribute> : AuthorizationHandler<TRequirement> where TRequirement : IAuthorizationRequirement where TAttribute : Attribute
{
    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, TRequirement requirement)
    {
        var attributes = new List<TAttribute>();
        
        if (context.Resource is HttpContext httpContext)
        {
            var endPoint = httpContext.GetEndpoint();

            var action = endPoint?.Metadata.GetMetadata<ControllerActionDescriptor>();

            if(action != null)
            {
                attributes.AddRange(GetAttributes(action.ControllerTypeInfo.UnderlyingSystemType));
                attributes.AddRange(GetAttributes(action.MethodInfo));
            }
        }
        
        return HandleRequirementAsync(context, requirement, attributes);
    }

    protected abstract Task HandleRequirementAsync(AuthorizationHandlerContext context, TRequirement requirement, IEnumerable<TAttribute> attributes);

    private static IEnumerable<TAttribute> GetAttributes(MemberInfo memberInfo) => memberInfo.GetCustomAttributes(typeof(TAttribute), false).Cast<TAttribute>();
}

Noting the way getting the ControllerActionDescriptor has changed.

Nuptials answered 25/2, 2021 at 4:48 Comment(0)

I have bearer token and I can read claims. I use that attribute on controllers and actions

public class CustomAuthorizationAttribute : ActionFilterAttribute
{
    public string[] Claims;

    public override void OnActionExecuting(ActionExecutingContext context)
    {
        // check user 
        var contextUser = context?.HttpContext?.User;
        if (contextUser == null)
        {
            throw new BusinessException("Forbidden");
        }


        // check roles
        var roles = contextUser.FindAll("http://schemas.microsoft.com/ws/2008/06/identity/claims/role").Select(c => c.Value).ToList();
        if (!roles.Any(s => Claims.Contains(s)))
        {
            throw new BusinessException("Forbidden");
        }

        base.OnActionExecuting(context);
    }
}

example

[CustomAuthorization(Claims = new string[]
    {
        nameof(AuthorizationRole.HR_ADMIN),
        nameof(AuthorizationRole.HR_SETTING)
    })]
[Route("api/[controller]")]
[ApiController]
public class SomeAdminController : ControllerBase
{
    private readonly IMediator _mediator;

    public SomeAdminController(IMediator mediator)
    {
        _mediator = mediator;
    }

    [HttpGet("list/SomeList")]
    public async Task<IActionResult> SomeList()
        => Ok(await _mediator.Send(new SomeListQuery()));
}

That is Roles

public struct AuthorizationRole
{
    public static string HR_ADMIN;
    public static string HR_SETTING;
}

Ordure answered 1/3, 2021 at 10:51 Comment(0)

For authorization in our app. We had to call a service based on the parameters passed in authorization attribute.

For example, if we want to check if logged in doctor can view patient appointments we will pass "View_Appointment" to custom authorize attribute and check that right in DB service and based on results we will athorize. Here is the code for this scenario:

    public class PatientAuthorizeAttribute : TypeFilterAttribute
    {
    public PatientAuthorizeAttribute(params PatientAccessRights[] right) : base(typeof(AuthFilter)) //PatientAccessRights is an enum
    {
        Arguments = new object[] { right };
    }

    private class AuthFilter : IActionFilter
    {
        PatientAccessRights[] right;

        IAuthService authService;

        public AuthFilter(IAuthService authService, PatientAccessRights[] right)
        {
            this.right = right;
            this.authService = authService;
        }

        public void OnActionExecuted(ActionExecutedContext context)
        {
        }

        public void OnActionExecuting(ActionExecutingContext context)
        {
            var allparameters = context.ActionArguments.Values;
            if (allparameters.Count() == 1)
            {
                var param = allparameters.First();
                if (typeof(IPatientRequest).IsAssignableFrom(param.GetType()))
                {
                    IPatientRequest patientRequestInfo = (IPatientRequest)param;
                    PatientAccessRequest userAccessRequest = new PatientAccessRequest();
                    userAccessRequest.Rights = right;
                    userAccessRequest.MemberID = patientRequestInfo.PatientID;
                    var result = authService.CheckUserPatientAccess(userAccessRequest).Result; //this calls DB service to check from DB
                    if (result.Status == ReturnType.Failure)
                    {
                        //TODO: return apirepsonse
                        context.Result = new StatusCodeResult((int)System.Net.HttpStatusCode.Forbidden);
                    }
                }
                else
                {
                    throw new AppSystemException("PatientAuthorizeAttribute not supported");
                }
            }
            else
            {
                throw new AppSystemException("PatientAuthorizeAttribute not supported");
            }
        }
    }
}

And on API action we use it like this:

    [PatientAuthorize(PatientAccessRights.PATIENT_VIEW_APPOINTMENTS)] //this is enum, we can pass multiple
    [HttpPost]
    public SomeReturnType ViewAppointments()
    {

    }

Worse answered 11/12, 2019 at 9:33 Comment(3)

Please note that IActionFilter will be a problem when you want to use the same attribute for Hub methods in SignalR.SignalR Hubs expect IAuthorizationFilter – Photojournalism 11/12, 2019 at 10:58

Thanks for the info. I am not using SignalR in my application right now so i havent tested it with it. – Worse 11/12, 2019 at 13:2

Same principle I guess as you will still have to use the header's authorisation entry, the implementation will differ – Togliatti 30/3, 2020 at 11:6

A lot of people here already told this, but with Policy handlers you can come really far in terms of what you could achieve with the old way in .NET Framework.

I followed a quick writeup from this answer on SO: https://mcmap.net/q/64961/-how-to-implement-custom-authorization-filter-for-blazor-page For me it works flawlessly after making some classes:

The EditUserRequirement:

public class EditUserRequirement : IAuthorizationRequirement
{
    public EditUserRequirement()
    {
    }
}

An abstract handler to make my life easier:

public abstract class AbstractRequirementHandler<T> : IAuthorizationHandler
    where T : IAuthorizationRequirement
{
    public async Task HandleAsync(AuthorizationHandlerContext context)
    {
        var pendingRequirements = context.PendingRequirements.ToList();
        foreach (var requirement in pendingRequirements)
        {
            if (requirement is T typedRequirement)
            {
                await HandleRequirementAsync(context, typedRequirement);
            }
        }
    }

    protected abstract Task HandleRequirementAsync(AuthorizationHandlerContext context, T requirement);
}

An implementation of the abstract handler:

public class EditUserRequirementHandler : AbstractRequirementHandler<EditUserRequirement>
{
    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, EditUserRequirement requirement)
    {
        // If the user is owner of the resource, allow it.
        if (IsOwner(context.User, g))
        {
            context.Succeed(requirement);
        }

        return Task.CompletedTask;
    }

    private static bool IsOwner(ClaimsPrincipal user, Guid userIdentifier)
    {
        return user.GetUserIdentifier() == userIdentifier;
    }
}

Registering my handler and requirement: services.AddSingleton<IAuthorizationHandler, EditUserRequirementHandler>();

        services.AddAuthorization(options =>
        {
            options.AddPolicy(Policies.Policies.EditUser, policy =>
            {
                policy.Requirements.Add(new EditUserRequirement());
            });
        });

And then using my Policy in Blazor:

<AuthorizeView Policy="@Policies.EditUser" Resource="@id">
    <NotAuthorized>
        <Unauthorized />
    </NotAuthorized>
    <Authorized Context="Auth">
        ...
    </Authorized>
</AuthorizeView>

I hope this is useful for anyone facing this issue.

Swatow answered 11/5, 2022 at 8:19 Comment(0)

I have been looking into solving a very similar issue, and settled on creating a custom ActionFilterAttribute (I'm going to call it AuthorizationFilterAttribute) instead of an AuthorizeAttribute to implement the guidance here: https://learn.microsoft.com/en-us/aspnet/core/security/authorization/resourcebased?view=aspnetcore-6.0#challenge-and-forbid-with-an-operational-resource-handler.

Plaintiff answered 13/6, 2022 at 22:44 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

That's it.

A little (optional) update from 2024

P.S.

Recommended topics

Hot tags