blowdart / aspnetauthorizationworkshop Goto Github PK

Requesting you to please create 2 repo one for asp.net core 2.2 and 3.0.
this will help lot of dev. like me to clearly understand what needs to be done and what should be done.
if possible please create a flow diagram as well giving out information like which scenario it fits more and which not.
thank you
Dheeraj Kumar

var authorizationResult = await AuthorizationService.AuthorizeAsync(User, document, new EditRequirement());

should be
var authorizationResult = await _authorizationService.AuthorizeAsync(User, document, new EditRequirement());

Thanks Barry for the very helpful workshop. The detailed steps clarified the concepts very well. Do you know of any similar guidelines based on Windows Authentication?

I want to be able to add a new claim to a user, but I've noticed that if I add the claim it's not being serialized with the cookie. Do I need to call await HttpContext.Authentication.SignInAsync(blah) again so that it resends the cookie with new claims in it?

I think the claims guidance in this workshop is great, but I have been digging for a guide that has something like,

Step 1) Setup Identity
Step 2) Setup EF
Step 3) Save your user's claims like this

Every Identity/EF guide is focused on Individual User Profiles, i.e. form-based authentication. That's great, I'm using Windows Authentication. How do I cut the head off of FBA and plug in my own authentication method?? At this point I'm piecemealing multiple articles, hopefully landing on a good solution.. for something that honestly I'm sure a lot of people need (Windows-based intranet apps still exist).

Would it be possible to at least add some guidance within the readme.md concerning next steps for things that devs are going to need to do to use claims-based authorization? i.e. a section for Claims Persistence Best Practices in ASPNET ...

This was a great video and sample project for understanding the new authorization classes available to dotnet core. Thanks for putting it together. I would love to see unit tests for the controllers, handlers etc...

Amended info...
I found an example of unit testing custom authorization here: https://github.com/henningst/ASPNETCore-AuthorizationDemo

One of my last open ended questions is with unit testing the Controllers. I have a moq IAuthorizationService created and I pass that into the constructor. However, that really is not testing if the controllers have the write policies or authorizationService logic correct. Do you have suggestions for unit testing this?

great demo,I can use cookie in mvc 's authorizationhandler,but I use the app to request webapi, how to deal with authorization in asp.netCore? not need cookie？can you help me to answer the question ,thank you

var authorizationResult = await AuthorizationService.AuthorizeAsync(User, document, new EditRequirement());

should be
var authorizationResult = await AuthorizationService.AuthorizeAsync(User, document, requirement);

like it is in the source code.

I think that step 7 is broken in the core 2 branch - if you attempt to load Document 2, then you end up in an infinite redirect loop. I've only tested the core 2 branch using the preview 2 packages, but as far as I can see, this will be an issue on RTM too.

I believe the issue is that the ChallengeResult is no longer (in 2.0) converted to a 403 response if you're already authenticated, so you end up in an infinite redirection loop in the DocumentController.Edit method:

public async Task<IActionResult> Edit(int id)
{
    var document = _documentRepository.Get(id);

    if (document == null)
    {
        return new NotFoundResult();
    }

    var authorizationResult = await _authorizationService.AuthorizeAsync(User, document, new EditRequirement());

    if (authorizationResult.Succeeded)
    {
        return View(document);
    }
    else
    {
        return new ChallengeResult(); // <-- if I'm already logged in, should return a 403
    }
}

I don't think this is a bug per se, but it's definitely a change in behaviour from 1.x and at the very least should be documented. I'm not entirely sure what the intended code should look like here.

Assuming that I'm not being an idiot (a big if), there only seems to be two options with the current behaviour:

1. Inject an IPolicyEvaluator, call AuthenticateAsync, and AuthorizeAsync manually, as in the AuthorizeFilter.
2. Replace the line return new ChallengeResult(); with

return User.Identity.IsAuthenticated
    ? (IActionResult) new ForbidResult()
    : new ChallengeResult();

The latter seems preferable, but it's still pretty gnarly (if it's even actually correct?).

Thanks!

P.S. As a fellow Brit, and knowing your feelings on bastardised spelling, I hope you enjoy the prevalence of 'ou' and lack of 'z' 😉

Would be great to see some examples included here that use windows authentication. There doesn't seem to be a lot of information out there yet on how to handle custom authorization in an ASP.NET Core with windows authentication. The best information I have found so far is your SO post:

[http://stackoverflow.com/a/40225551/432085]

Should we expect this to run without changes in App Services with EasyAuth enabled?

await HttpContext.SignInAsync(
CookieAuthenticationDefaults.AuthenticationScheme

should be
await HttpContext.SignInAsync(
CookieAuthenticationDefaults.AuthenticationScheme,

Hi,

I followed Part-1 and Part-2 videos and also this workshop by @blowdart , they are awesome and well organized. They helped me to quickly gain knowledge about security topic in AspDotNetCore

I have few questions related to Authentication, Please excuse me for writing here as this is related to Authorization. It would be very nice to get some insight in to this topic from Microsoft Secutity Specialists. Certainly answers would be helpful for me and probably for other people like me.

So I start here...

Our Team have few systems built in previous .NET Frameworks that uses FormsAuthToken (Cookie)
And we started to build a new system in AspDotNetCore we would like to share the credentials that is being used by other systems seamlessly. So far we could able to decrypt the FormsAuth Cookie following answer by Darrell Tunnell, it was usefull for decryption part, yet needs some work arround encryption.

http://stackoverflow.com/questions/34265117/mvc6-decrypting-a-forms-authentication-cookie-from-another-website

Is there any other alternative way that is built in to AspDotNetCore framework, so that I can seamlessly share the credentials between different systems, like reading(Decryption) them if they already exist or writing(Encryption) them if they do not. In AspDotNetCore I do not see the possibility in sharing MachineKey that is used for Encryption and Decryption of FormsAuthToken(Cookie) from other systems.

Thanks,
Anil.

No previous mention of adding services.AddAuthorization().

Hi,

I want to configure global authorization for all actions in all my controllers (Forcing it to go through my Account Controller). I am using the below piece of code from the Step_4_Simple_Policies lab project.

Startup.cs:
services.AddMvc(config =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
config.Filters.Add(new AuthorizeFilter(policy));
});

public class HomeController : Controller
{
// GET: //
public IActionResult Index()
{
return View();
}
}

I also went through the explanation (Please Refer Step 2 Authorize all Things heading) (https://github.com/blowdart/AspNetAuthorizationWorkshop )

Based on my understanding, i expect the below behavior.

Expected Behavior:
After i remove Authorize tag from my Controller, adding global authorization code in startup.cs, prefixing [AllowAnonymous] tag in my account controller, all actions should go via my Login action in my Account controller for authorization

Current Behavior:

System doesn't hit Account Controller login action. This indicates global authorization configuration is not working.

Please let me know if i am missing something.

PS: I have latest RTM core libraries with VS Update 3.

Thanks,
Valliappan

On Step 1 Authorization
Run the project and panic. You get a blank page. Open the IE Dev Tools, click Network then refresh the browser. You will see you are getting a 401 returned. The server is telling you that you are unauthorized.

At this step I'm getting a 302 to http://localhost:51396/Account/Login/?ReturnUrl=%2F and then 404 because Account/Login hasn't been created at this point in the lab.

It's really nice, clean and understandable work and thank you. But If the title is about Auth, I hope to see some works about token authentication.

return Task.FromResult(0);
should be
return Task.CompletedTask;

to match the source code

Should be Views/Home instead of Home/Views

It'd be great to see actual Login validation implemented.

Hi,

I´m getting a 401 instead of 403 when using Azure Ad for authentication in aspnetcore.

I've set a global policy to RequireAuthenticatedUser, and it works just fine. When I access a any controller in my app, if the user is not authenticated it returns a 401.

I created a custom policy "AdminOnly" and applied it to a controller:

    [Authorize (Policy = "AdminOnly")]
    public class WebTestController : Controller
    {

If the user, is not authenticated, it redirects to https://login.microsoftonline.com/ as expected. If the user is authenticated and fulfills the policy requirements everything goes well, but if the user does not meet the requirements there's problems, and the problem depends on whether options.AutomaticChallenge = true or false. If true, the app get caught up in a loop:

Pieces from debug output:

Microsoft.AspNet.Mvc.Controllers.ControllerActionInvoker: Warning: Authorization failed for the request at filter 'Microsoft.AspNet.Mvc.Filters.AuthorizeFilter'.
Microsoft.AspNet.Authentication.OpenIdConnect.OpenIdConnectMiddleware: Information: AuthenticationScheme: OpenIdConnect was challenged.
Microsoft.AspNet.Mvc.ChallengeResult: Information: Executing ChallengeResult with authentication schemes ().

If options.AutomaticChallenge = false, it returns a 401

Any ideas how can I fix this?

Relevant pieces of Startup.cs

            services.AddAuthorization(options =>
            {
                options.AddPolicy("AdminOnly", policy => policy.Requirements.Add(new   AdminNameRequirement("Tyrion Lannister")));
            });

            services.AddMvc(config =>
            {
                var policy = new AuthorizationPolicyBuilder()
                    .RequireAuthenticatedUser()
                    .Build();
                config.Filters.Add(new AuthorizeFilter(policy));
            });
        }

        public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
        {
//(...)
            app.UseCookieAuthentication(options =>
            {
                options.AutomaticAuthenticate = true;
            });

            app.UseOpenIdConnectAuthentication(options =>
            {
                options.AutomaticChallenge = true;
                options.ClientId = Configuration["Authentication:AzureAd:ClientId"];
                options.Authority = Configuration["Authentication:AzureAd:AADInstance"] + Configuration["Authentication:AzureAd:TenantId"];
                options.PostLogoutRedirectUri = Configuration["Authentication:AzureAd:PostLogoutRedirectUri"];
                options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            });

            app.UseMvc(routes =>
            {
                routes.MapRoute(
                    name: "default",
                    template: "{controller=Home}/{action=Index}/{id?}");
            });
        }

        // Entry point for the application.
        public static void Main(string[] args) => WebApplication.Run<Startup>(args);
    }
}