I have a very simple minimal API (.NET 6 with JWT Authentication Scheme) with 5 endpoints which:
- 2 are read, protected by a "ReadScope"
- 3 are write, protected by a "WriteScope"
app.MapGet("v1/getpet", GetPet)
.RequireAuthorization("ReadOperation")
app.MapDelete("v1/deletepet", DeletePet)
.RequireAuthorization("WriteOperation")
I'm also building my policies from app.settings:
{
"SecurityPolicies": {
"WriteOperation": {
"PolicyName": "WriteOperation",
"ClientScopes": [ "WriteScope" ]
},
"ReadOperation": {
"PolicyName": "ReadOperation",
"ClientScopes": [ "ReadScope" ]
}
}
and this is part of my extension method:
services.AddAuthorization(options =>
{
foreach (var policy in policies)
{
var policyBuilder = new AuthorizationPolicyBuilder();
if (policy.ClientScopes is not null && policy.ClientScopes.Any())
{
policyBuilder.RequireClaim("scope", policy.ClientScopes);
}
options.AddPolicy(policy.PolicyName, policyBuilder.Build());
}
});
These policies are working (if I give a client only the read scope all write endpoints give back a 403 status code), but I would like to create a new policy called "FullAccess" which gives full access to all endpoints. I don't understand how I can do this with minimal API.
I read over other StackOverflow thread that I need some custom Handlers but they were explained over classic MVC API. I would like to implement something like "This endpoint requires FullAccess scope OR Write scope" and "This endpoint requires FullAccess scope OR Read scope"
