Permission-based Authorization in ASP.NET Core with AuthorizationPolicyProvider

Salar Rabbal
HackerNoon.com
2 min readMar 4, 2019

--

Photo by Oluwaseun Duncan on Pexels

There are various approaches to implement dynamic permission-based authorization; In this post I want to implement Custom AuthorizationPolicyProvider to simplify permission-based authorization mechanism in ASP.NET Core.

Introduction

According to the authorization infrastructure in ASP.NET Core, you can use the following piece of code to apply claim-based authorization with custom permission claim-type:

And you can use it like below:

This approach is integrated and very simple and you don’t need to do any customization; but, in one real project or in enterprise scale, it is hard to define all permissions as claim-base policies. Fortunately, ASP.NET Core supports to implement Custom AuthorizationPolicyProvider and register it in DI system. One of its uses is:

Using a large range of policies (for different room numbers or ages, for example), so it doesn’t make sense to add each individual authorization policy with an AuthorizationOptions.AddPolicy call.

Implement AuthorizationPolicyProvider

For this purpose, we can implement AuthorizationPolicyProvider or inherit from DefaultAuthorizationPolicyProvider that registered in DI system as default provider.

In this implementation, GetPolicyAsync is responsible to find and return one policy based on policyName. However, we can automate the process of defining the policy by overriding it and using an instance of AuthorizationPolicyBuilder. In the body of GetPolicyAsync method, first checked that received policyName starts with “PERMISSION:” or not; then split policyName with ‘,’ character to retrieve permission names. Finally, define policy with retrieved permissions and return it.

Now, To replace this implementation with default registered, use the following code in startup:

Implement PermissionAuthorizeAttribute

As the last step, we need to implement custom AuthorizeAttribute to manipulate Policy property and store permission-names as a comma-separated string in this property.

And to use it:

Conclusion

With approach that explained in this post, you can simply and with minimum customization, apply dynamic permission authorization in your ASP.NET Core project.

Also, you can find complete implementation in DNTFrameworkCore repository.

--

--