Is claims based authorization appropriate for individual resources

by

When you are talking about roles and permissions then you are talking about authorization.

Claims are typically not for authorization. (Identity)Claims are there to model the identity of the user: who is the user? The claims on itself do not tell anything about authorization. A user can have a role claim, but this doesn’t tell the application what the user is allowed to do.

Authorization is done by the application, based on who the user is. Think of authorization as a set of rules, like:

  • 18+: allow when user is older than 18 (DateOfBirth).

  • Use car: allow when user has a drivers license.

Or something like that.

Roles are a bit confusing, as they are often misused for authorization. Please read this article for some background information.

The problem with roles IMO is that these are not universal. I can be a Doctor in one hospital, while I’m a Patient in another. And I can be Admin for one tenant, but a User for another tenant. So they have only meaning within a certain context.

The only reason to include roles as claim is that you won’t need to lookup this information as it is already present. But given the previous remark, you actually can’t include this information. And it will only give you headaches when you do. Because you can’t do simple things like update or change permissions or profile settings, until the user logs in again.

So as a rule of thumb: keep authorization close to the resource (api / website). Because that is the place where the business rules are implemented. And that’s the place where you can store and update permissions, etc.

Keep a seperation of concerns when it comes to authentication and authorization. Authentication tells you who the user is, and authorization tells you what the user is allowed to do. Don’t mix these two.

Translating this to your wiki application:

Create a seperate context where you store authorization information like roles and permissions. You can manage this in a central resource (for multiple applications) or use the context in your application. I would not mix this context with the business context.

Add a user in the authorization context and add a role content_contributor. Within the application read the permissions (from the central API, the local authorization context, a settings file, or anything that suits best) for that user (based on the sub claim). Cache it to speed up performance, and apply the rules to determine whether the user is allowed to access the resource.

You can extend this with resource-based authorization. Save the value of the sub claim in the content record to identify the owner. When the current user matches the sub claim value, then the current user is the owner.

You can use the same approach for teams. Add a teams table to the business context and link the user to one or more teams. Directly using the sub claim value or indirectly, using a Users table, also in the business context, where the user is linked to the sub claim value. You can add name, etc. in case you want to show this information (like in a report).

You can save team id and / or user id or sub claim value (owner is member of the same team as current user) in the content record in order to determine the allowed access for the user.

My setup would be like this:

Identity context: users + userclaims. For authentication only. Application independent.

Authorization context: users (id = sub claim) + per application: roles, permissions, etc. In seperate ‘local’ databases or in a central database. For authorization only.

Business context: users (Id, Name, ‘foreign key’ sub claim, without the actual database relation as the table is outside the context) + teams, profile, settings, etc. Linked to the sub claim value when users table is omitted.

In order to keep the users table in the business context up-to-date, periodically refresh the values. You can for instance update values when the user logs in after x time. Or once in a while query the Identity Context (using the API) to request user information (using the identities User Info endpoint).

In all contexts there can be a users table, but they all have a different meaning and contain other information. So there is no redundant information.

Authorization takes place inside the application and is based on the business rules (policies) and authorization information from the authorization context.

As a final remark, when the current system requires role claims (like for User.IsInRole() or [Authorize("role")]) then you can read (from cache) the role / permissions on each call and add these to the claims collection of the current user (claims transformation).

More Related Contents:

  1. How to generate access token using refresh token through google drive API?
  2. what are the URLs for in claim-types
  3. How do you create a custom AuthorizeAttribute in ASP.NET Core?
  4. Best Practices for securing a REST API / web service [closed]
  5. How implement a login filter in JSF?
  6. How to handle authentication/authorization with users in a database?
  7. How to use basic authorization in PHP curl
  8. Redirecting unauthorized controller in ASP.NET MVC
  9. How to dynamically decide access attribute value in Spring Security?
  10. ASP.NET MVC – How to show unauthorized error on login page?
  11. How to implement custom authentication in ASP.NET MVC 5
  12. How to get http headers in flask?
  13. ASP.NET MVC Authorization
  14. Role-based access control (RBAC) vs. Claims-based access control (CBAC) in ASP.NET MVC
  15. How to scrape a website that requires login first with Python
  16. Custom HTTP Authorization Header
  17. Why is my ClaimsIdentity IsAuthenticated always false (for web api Authorize filter)?
  18. Can I use ADFS 2.0 to authenticate certain users against SQL Server?
  19. Multiple HTTP Authorization headers?
  20. Keycloak https auth page unable to acces
  21. How to call a RESTful web service from Android?
  22. ASP.NET MVC 4 custom Authorize attribute – How to redirect unauthorized users to error page? [duplicate]
  23. Accessing post or get parameters in custom authorization MVC4 Web Api
  24. How to Get All Endpoints List After Startup, Spring Boot
  25. What is the appropriate way to manage API secrets within a Google Apps script?
  26. Simple token based authentication/authorization in asp.net core for Mongodb datastore
  27. Auth 1.0 oauth_signature creation Android for magento API
  28. MVC role-based routing
  29. ASP.NET Core – Authorization Using Windows Authentication
  30. ASP.NET 5 Authorize against two or more policies (OR-combined policy)

Leave a Comment