Verify claims/roles in token with Web API 2 bearer token

Question

I would like to confirm that the the claims in the bearer token are up to date on each API call so that I be sure that the given user still have access to the given method.

For example, for a method decorated with [Authorize(Roles = "admin")] I want to make sure that the user is an admin when the call is executed, not if the user was an admin when the token was issues.

After some looking around I am planning to write a public class VerifyTokenAttribute : System.Web.Http.AuthorizeAttribute apply it globally and inside OnAuthorization check if the action is decorated with Authorize and if so, get the user info from the database and confirm that the roles match.

Is there a better way?

Answer 1

I planned on doing basically the same thing. In my case, there exists the definition of "system features" where a Role in the system can perform a number of system features. The features a role can perform can vary, and the administrator can change them any time. So basically, on each request I should grab all the roles a user has, and for each one all the system features it can execute. I thought about something like creating an attribute that would look like this: [CustomAuthorize("Feature_Name")] and applying it to the controller (or action) level. Then, I would need to check if "Feature_Name" is a feature the current user can perform based on their roles. Off course, that would require access to the database each time. A possible enhancement would be to cache this information in a cache server, and the cache would be invalidated each time the admin changes the users privilleges. Something like that. So, as Mayu said: Is there a better way?