Role Claims in ASP.NET Core Identity compared to Role Permissions in custom auth

Blake Rivell picture Blake Rivell · Oct 30, 2017 · Viewed 15.4k times · Source

Lets step away from ASP.NET Identity for a sec and lets say we are building a custom authentication/authorization system for our application.

It will contain the following tables for full flexibility:
Users
Roles
Permissions
UserRoles
RolePermissions

With the above we can have a full fledged User Management section of an application where an Administrator can say User A has Role B which has Permissions C,D,F.

The above has always worked for me in the past, but lets switch gears now to an ASP.NET Core MVC Application using ASP.NET Identity.

Attempting to utilize everything Microsoft gives you with ASP.NET Core Identity in the UserManager I would like to be able to still achieve the above, but the ASP.NET Core Identity MVC way.

What I know:
That I can easily use the UserManager to implement CRUD pages for Users and Roles and User Roles.

What I am trying to figure out:
How can I replicate the same behavior of the "which permissions/actions does a role have?" concept.

My initial guess at this is that you would use Claims in combination with Roles. Claims get assigned to Roles i.e. RoleClaims and then Roles get assigned to Users.

This way I would be able to simply check for Roles above Controllers/Action methods with Authorize tags. And additionally go even further at the page level saying hide/show the delete button if the user's Role does not have Claim "DeleteProduct" Kind of like what this view-based authorization documentation is saying.

--

I am trying to figure out if I am on the right path with this stuff. Any advice or corrections would be helpful.

Answer

George McKibbin picture George McKibbin · Nov 10, 2017

This person seems to have a potential solution for your particular problem.

Users Roles Permissions using ASP.NET Core Identity 3

More information on Claims and Policies

https://docs.microsoft.com/en-us/aspnet/core/security/authorization/claims

Basically

  1. Make a new user
  2. Make a new role
  3. Make a new Claim
  4. Add Claim to Role
  5. Add User to Role
  6. Make a new Policy with claim (during configure services)
  7. Check for user being authorized for policy

Note: Not entirely sure if that works with ASP.Net Core 2 or not or which version you were using.