Authorization Best Approaches

dyAuth0 · October 1, 2019, 8:50pm

Currently, we have an asp.net web application with a SQL Server backend. Within the application users are assigned to projects (and within each project they have are assigned a role). Currently, a user hits our application, and i set a claim (containing authorization information) for subsequent requests (i.e. what projects they have access to and what roles they are in each)

What I was wanting/thinking is I would utilize Auth0 for authentication only with universal login control. The user hits the site, is redirected to universal control, which authenticates and redirects them to the application where we continue to place claim/cookie with role information.

Is this approach possible? (I suspect we can append to the cookie/claim with more role information after we are redirected back to our site?)

john.gateley · October 2, 2019, 2:07pm

Sure, this is possible, but there are other approaches that may be better.
You can put the role/access permissions in an Auth0 access token, that is what it is designed for.
Check out Auth0’s RBAC capabilities, that may be fruitful.

John

dyAuth0 · October 2, 2019, 2:27pm

I would like to extend the AuthorizeAttribute to query the claims and make additional checks after login within particular controllers/actions. The issue I am currently having is is my custom attribute is not being fired/used when a user navigates to the controller/view

Ideas?

    public class ScopeAuthorizeAttribute : AuthorizeAttribute
    {
        private readonly string scope;

        public ScopeAuthorizeAttribute(string scope)
        {
            this.scope = scope;
        }
        public override void OnAuthorization(HttpActionContext actionContext)
        {
            base.OnAuthorization(actionContext);

            // Get the Auth0 domain, in order to validate the issuer
            var domain = $"https://{ConfigurationManager.AppSettings["Auth0Domain"]}/";

            // Get the claim principal
            ClaimsPrincipal principal = actionContext.ControllerContext.RequestContext.Principal as ClaimsPrincipal;

            // Get the scope clain. Ensure that the issuer is for the correcr Auth0 domain
            var scopeClaim = principal?.Claims.FirstOrDefault(c => c.Type == "scope" && c.Issuer == domain);
            if (scopeClaim != null)
            {
                // Split scopes
                var scopes = scopeClaim.Value.Split(' ');

                // Succeed if the scope array contains the required scope
                if (scopes.Any(s => s == scope))
                    return;
            }

            HandleUnauthorizedRequest(actionContext);
        }
    }