0

In our Web Api 2 system, Users belong to a Subscription:

public class ApplicationUser : IdentityUser
{
    public Guid SubscriptionId { get; set; }
}

Users can only view data from within their owner subscription. If a user does not belong to a subscription, an unauthorised response (401) should be returned.

An example request could be something like this:

api/v1/subscriptions/{subscriptionId}/projects/

We are currently using token-based (as per this article) and Entity Framework 6 & ASP.NET Identity 2 for authentication.

What is the best way to authorize a user against a subscription?

I could create a custom authorization filter, but wouldn't retrieving the current logged in user and the subscription ID from the URL be messy?

Dave New
  • 38,496
  • 59
  • 215
  • 394
  • In your controller, are you just returning a IQueryable? If so, couldn't this just be filtered for the current user (so it only returns data that they are authorized to see)? Or, do you want to return an unauthorized response if they request a subscription where they aren't authorized? – snow_FFFFFF Jan 02 '15 at 13:56
  • @snow_FFFFFF: I want to return an unauthorized response. Will edit question - thanks. – Dave New Jan 02 '15 at 13:56
  • This is a little off topic, but all of my web api work has been with odata endpoints. In the odata controllers, I can add ODataQueryOptions to the gets and pick apart the request pretty easily (no actual string parsing required). I'm not sure you are using odata - if not, there might be something similar that you could use to get the values you need to check. – snow_FFFFFF Jan 02 '15 at 14:25

0 Answers0