1

I have installed the Thinktecture.IdentityModel.Core package.

Suppose I've registered my custom implementation of AuthorizationManager in web.config file.

public class AuthorizationManager : ClaimsAuthorizationManager {
    public override Boolean CheckAccess(AuthorizationContext context) {
        // authorization implementation
    }
}

There are a permissions defined in the application db for user roles. So that User might have Read permission for Blogs and Arts resources if it is in a BasicUser role.

The workflow as I see it:

  1. at login you make a db query to fetch all action-resources pairs from all assigned roles for the authenticated user
  2. then you gotta add claims (based on the db query result) to the identity
  3. ClaimsAuthorizationAttribute makes a call to the ClaimsAuthorizationManager
  4. ClaimsAuthorizationManager internally checks the authentication cookie with claims from the step 2

Am I right?

Or am I supposed to do a database permission lookup inside the CheckAccess method? Will this work on a per-request basis?

Howcome I transform/attach the db-fecthed set of action-resources into identity claims?

lexeme
  • 2,915
  • 10
  • 60
  • 125
  • 1
    Regardless of Thinktecture I like the Idea of grouping claims by roles in this sample project : https://github.com/trailmax/ClaimsAuthorisation/tree/master/ClaimsAuth/Controllers – Tarek Salah Jan 26 '15 at 21:20

1 Answers1

1

Inside the checkaccess method you are not supposed to lookup database. You are supposed to check whether claims Inside AuthorizationContext allows the user to access action/ressources. Claims are supposed to be filled during Authentication.

At login, you can fetch roles from you database and add them to the claims then the claims can be stored in the cookie or in session to avoid fetching them on each request. Cookie or Session storage of claims is handled natively (and securely) using the right configuration.

Guillaume
  • 12,824
  • 3
  • 40
  • 48
  • Can you please illustrate that? What types of claims should I add? I think the relation between **`Action`** and the corresponding **`Resources`** isn't separable. And I just have read a thread about unsuccessful deserialization of custom complex claims. If a single claim must be a key-(primitive)value to support deserialization then how do I properly add them to the claims identity? – lexeme Jan 27 '15 at 13:20
  • You can fill claims from a custom ClaimsAuthenticationManager. – Guillaume Jan 27 '15 at 16:12