I am trying to implement role-based authorization on a ASP.NET Core 8 Web API, and the goal is that users have access to nothing by default. Their role has to be declared explicitly.
Another requirement is that the Admin role should have access to absolutely everything.
I struggle to see how to implement this simple cybersecurity requirement because :
- If I don’t add the
[Authorize]attribute on the controller, then it is completely open to anyone with any role. This default behavior seems extremely weird to me, as it means if we just forget to set theAuthorizeattribute, we completely open our sensitive API to any user. - If I want to set a “default” role for the controller and then override it at the action level, I can’t because they are additive.
I have seen various answers here on SO to deal with this but usually they either answer part of the problem or they are completely outdated and relate to ASP.NET MVC, or they deal about making stuff just public/not public.
What I would like is this :
public class AppController : Controller
{
[Authorize(Roles = "User")]
public IActionResult ListItems() {} // <= Can be accessed by role "User"
public IActionResult GetItem() {} // <= Can be accessed by no one
}
As an alternative, it would be acceptable for us to have this :
[Authorize("Admin")]
public class AppController : Controller
{
[Authorize(Roles = "User")]
public IActionResult ListItems() {} // <= Can be accessed by roles "User" OR "Admin"
public IActionResult GetItem() {} // <= Can be accessed by "Admin"
}
But I have not seen any way to change the fact that if the role check for controller fails, it won’t reach the check for the action.
Inverting the logic (User on controller and then Admin where it’s due) is not OK because it brings us back to a lack of security, plus it still means that all admins need to also have the user role, which is a bit of overhead in role management.
I don’t know how to get to any of these two options, I have a feeling this implies re-implementing some custom things, but I don’t know which ones.
1
1-You can create a policy
Program.cs
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("AdminOnly", policy => policy.RequireRole("Admin"));
});
YourController.cs
[Authorize(Policy = "AdminOnly")]
public class AdminController : ControllerBase
{
public IActionResult GetAdminData()
{
return Ok("Admin data");
}
}
2-You can give [AllowAnonymous] if all your endpoints requires auth this will be make the endpoint accessed by everyone.
[AllowAnonymous]
public class YourController: ControllerBase
{
public IActionResult AnonymousEndpoint()
{
return Ok("This api is accessed by everyone");
}
}
3-Or you can assign the roles into filter
[Authorize("Admin,User")]
Barış Taner is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
It should be
[Authorize(Roles="Admin,User")]
public class AppController : Controller
{
public IActionResult ListItems() {} // <= Can be accessed by roles "User" OR "Admin"
[Authorize(Roles = "Admin")]
public IActionResult GetItem() {} // <= Can be accessed by "Admin"
}
You could read this document for more details
1