0

I am lost in all options that is possible for managing what a user can do and what a user can not do. I started with Roles: [Authorize(Roles = Constants.Roles.ModeratorAndUp)]. Where ModeratorAndUp is string "Moderators, Administrators".
But I need more flexible approach. For the past 3 hours I am reading about Claims and permissinos. I also found this interesting blog post.

I am using Angular and ASP.NET Core together with Universal template. For authentication I am using OpenIddict. I was following a book.

I want to use JWT token for authorisation and authentication. I don't know how permission should be handled in .NET Core, but I have 100 different Roles and it is complete mess. And also when I create new user, I need to manually add it arround 20 roles. It would be nice If I could create Groups which has Roles/Permissions and then add User to this group. But don't know how this design will play with OpenIdDict and JWT token authorisation.

Can someone point me in the right direction, and then I will research on my own.
I am not sure should I build some system that will automatically update user roles when I change Group Permissions/Roles, should I go with Claims ... I would like to use [Authorize] attribute, because it really simplify things.

What/how/which is the best practice to do JWT Token authentication/authorisation in ASP.NET Core.

Makla
  • 9,899
  • 16
  • 72
  • 142
  • 1
    Think about roles as a group of claims, then you'll know how to solve it – Tseng Jun 05 '17 at 13:31
  • 1
    `But don't know how this design will play with OpenIdDict and JWT token authorisation.`: using claims with OpenIddict is absolutely not different from using claims with the cookies middleware (under the hood, the authorization stack doesn't depend on the way you authenticate your users, so the same concepts apply to both cookies and tokens). I'd also go with privileges/permissions, as suggested by @ssmith. If you think you end up adding too many claims in your tokens, don't miss https://stackoverflow.com/questions/42496306/openidconnect-access-token-size-and-accessing-claims-server-side. – Kévin Chalet Jun 09 '17 at 19:02

1 Answers1

1

Think of claims as being something a bit more flexible than roles. That said, if you have complex business rules that don't necessarily map simply to groups the user belongs to, you can encapsulate your permissions into Privileges (classes whose responsibility is to determine whether a given user has a certain privilege over a given resource. See more here: http://ardalis.com/favor-privileges-over-role-checks

This tends to reduce a lot of conditional complexity in your UI layer, in my experience.

ssmith
  • 8,092
  • 6
  • 52
  • 93