Manage User Rights By Decorating Their Claims Identity

Рет қаралды 2,933

Күн бұрын

Claims based authorization in Dot Net is a hidden gem. But the reality is that you don’t really get a lot of useful claims from an external identity provider like Google or Microsoft. Google doesn’t know anything about your user or your security rights or your tenants. We manage security with roles and groups, not by individual user. So where’s that information going to come from? Hold on, keep listening, cause I’ve got a slick solution for you, and I think you’re going to like it.
#security #csharp #aspnetcore
Blog:
betterwithcode.com/
LinkedIn:
/ jeff-zuerlein-2aa67b7
00:00 Intro
00:52 Describing The Solution
01:23 Configuring The Pipeline
01:44 Short Circuiting The Pipeline
02:04 What's The HTTP Context?
02:27 Tenants Example
02:57 Building The Middleware
04:06 ClaimsPrincipal vs ClaimsIdentity
05:15 Adding Policies
05:49 Demo Time
06:27 A Bit More Realistic
08:26 Why You Should Use It

Пікірлер: 14

@krccmsitp2884 29 күн бұрын

That was very insightful, thanks. I'd like to see more about implementing authorization topics.

@JeffZuerlein 28 күн бұрын

I’m working on it!

Ай бұрын

Thank you! I worked with all components but it never crossed my mind to combine them like this. And it makes perfect sense

@JeffZuerlein Ай бұрын

I know! I can’t figure out why people don’t talk about it more.

@cuongphung9163 Ай бұрын

The way you organize content and present are great. Thanks so much

@JeffZuerlein Ай бұрын

So nice of you to say. I appreciate it.

@alexisfibonacci Ай бұрын

How about implementing the IClaimsTransformation interface?

@JeffZuerlein 16 күн бұрын

I've been avoiding your comment for long enough... You could use the IClaimsTransformation interface to "Decorate" or "Transform" a ClaimsPrincipal, in a very similar way to what I describe in my video. I presented the option of using middleware because a while back I read Brock Allen's blog post on the transform occurring more than once per request. However, I recently learned that Microsoft added a HashSet to the AuthenticationService to cache the result of the transform, so it effectively only gets transformed once. github.com/dotnet/aspnetcore/commit/814a37548b6adae2f846eae3144e8f37c1388520 That makes IClaimsTransformation much more compelling. At the end of the day, both work. I think the differentiator between the two options are...Do you need the HTTPContext in the decoration process? Do you need to implement your own caching of ClaimsPrincipal data for performance reasons, if so where and how? I still think there could be a slight performance advantage to using the middleware approach, but I don't have data to support that.

@07309415 Ай бұрын

Thanks for video. I like how you explained the material and would like to see more on this subject. I appreciate access to the source as well.

@JeffZuerlein Ай бұрын

Thank you! I want to make one or two more videos on Authorization, so I’m working on cleaning up the source code and adding a few more examples. Glad you liked the content!

@ProstoDoCelu316 28 күн бұрын

you will make call to database on every request right?

@JeffZuerlein 28 күн бұрын

Yep. Caching could be a good option. Typically application specific claims don’t change very often. That would reduce the round trips and latency.

@massinamas 16 күн бұрын

What is the difference between groups and roles?

@JeffZuerlein 16 күн бұрын

To me...They are completely different, to Microsoft, they are the same thing. My notion of a Role would be the personal assistant to a CEO, or the CEO. It's a job that gets filled by a user. I don't want to code rights to an individual user, but I would to a role. My notion of a group would be a set of users. That set of users could all be given the same right, or the group could be assigned to a role. An example would be... Role = Online Content Reviewer, and there could be a group of users who fill that role. Microsoft doesn't support relationships between users, roles, groups, and tenants. I think it makes managing authorization much easier.