How do you create a custom AuthorizeAttribute in ASP NET Core

Question

I m trying to make a custom authorization attribute in ASP NET Core   In previous versions it was possible to override bool AuthorizeCore HttpContextBase httpContext    But this no longer exists in AuthorizeAttribute   What is the current approach to make a custom AuthorizeAttribute   What I am trying to accomplish  I am receiving a session ID in the Header Authorization  From that ID I ll know whether a particular action is valid

User · Answer

What is the current approach to make a custom AuthorizeAttribute

Easy: don't create your own AuthorizeAttribute.

For pure authorization scenarios (like restricting access to specific users only), the recommended approach is to use the new authorization block: https://github.com/aspnet/MusicStore/blob/1c0aeb08bb1ebd846726232226279bbe001782e1/samples/MusicStore/Startup.cs#L84-L92

public class Startup
{
    public void ConfigureServices(IServiceCollection services)
    {
        services.Configure<AuthorizationOptions>(options =>
        {
            options.AddPolicy("ManageStore", policy => policy.RequireClaim("Action", "ManageStore"));
        });
    }
}

public class StoreController : Controller
{
    [Authorize(Policy = "ManageStore"), HttpGet]
    public async Task<IActionResult> Manage() { ... }
}

For authentication, it's best handled at the middleware level.

What are you trying to achieve exactly?

User · Answer

It seems that with ASP NET Core 2  you can again inherit AuthorizeAttribute  you just need to also implement IAuthorizationFilter  or IAsyncAuthorizationFilter     AttributeUsage AttributeTargets Class   AttributeTargets Method  AllowMultiple   true  Inherited   true   public class CustomAuthorizeAttribute   AuthorizeAttribute  IAuthorizationFilter       private readonly string  someFilterParameter       public CustomAuthorizeAttribute string someFilterParameter                 someFilterParameter   someFilterParameter             public void OnAuthorization AuthorizationFilterContext context                var user   context HttpContext User           if   user Identity IsAuthenticated                           it isn t needed to set unauthorized result                 as the base class already requires the user to be authenticated                this also makes redirect to a login page work properly                context Result   new UnauthorizedResult                return                        you can also use registered services         var someService   context HttpContext RequestServices GetService lt ISomeService gt              var isAuthorized   someService IsUserAuthorized user Identity Name   someFilterParameter           if   isAuthorized                        context Result   new StatusCodeResult  int System Net HttpStatusCode Forbidden               return

User · Answer

If anyone just wants to validate a bearer token in the authorize phase using the current security practices you can   add this to your Startup ConfigureServices      services AddSingleton lt IAuthorizationHandler  BearerAuthorizationHandler gt         services AddAuthentication JwtBearerDefaults AuthenticationScheme  AddJwtBearer         services AddAuthorization options   gt  options AddPolicy  Bearer           policy   gt  policy AddRequirements new BearerRequirement                       and this in your codebase   public class BearerRequirement   IAuthorizationRequirement       public async Task lt bool gt  IsTokenValid SomeValidationContext context  string token                   here you can check if the token received is valid          return true           public class BearerAuthorizationHandler   AuthorizationHandler lt BearerRequirement gt          public BearerAuthorizationHandler SomeValidationContext thatYouCanInject                              protected override async Task HandleRequirementAsync AuthorizationHandlerContext context  BearerRequirement requirement                var authFilterCtx    Microsoft AspNetCore Mvc Filters AuthorizationFilterContext context Resource          string authHeader   authFilterCtx HttpContext Request Headers  Authorization            if  authHeader    null  amp  amp  authHeader Contains  Bearer                          var token   authHeader Replace  Bearer    string Empty               if  await requirement IsTokenValid thatYouCanInject  token                                 context Succeed requirement                                     If the code doesn t reach context Succeed      it will Fail anyway  401    And then in your controllers you can use    Authorize Policy    Bearer   AuthenticationSchemes   JwtBearerDefaults AuthenticationScheme

User · Answer

Just adding to the great answer from  Shawn  If you are using dotnet 5 you need to update the class to be  public abstract class AttributeAuthorizationHandler lt TRequirement  TAttribute gt    AuthorizationHandler lt TRequirement gt  where TRequirement   IAuthorizationRequirement where TAttribute   Attribute       protected override Task HandleRequirementAsync AuthorizationHandlerContext context  TRequirement requirement                var attributes   new List lt TAttribute gt                      if  context Resource is HttpContext httpContext                        var endPoint   httpContext GetEndpoint                 var action   endPoint  Metadata GetMetadata lt ControllerActionDescriptor gt                  if action    null                                attributes AddRange GetAttributes action ControllerTypeInfo UnderlyingSystemType                    attributes AddRange GetAttributes action MethodInfo                                             return HandleRequirementAsync context  requirement  attributes              protected abstract Task HandleRequirementAsync AuthorizationHandlerContext context  TRequirement requirement  IEnumerable lt TAttribute gt  attributes        private static IEnumerable lt TAttribute gt  GetAttributes MemberInfo memberInfo    gt  memberInfo GetCustomAttributes typeof TAttribute   false  Cast lt TAttribute gt        Noting the way getting the ControllerActionDescriptor has changed

User · Answer

The modern way is AuthenticationHandlers in startup cs add services AddAuthentication  quot BasicAuthentication quot   AddScheme lt AuthenticationSchemeOptions  BasicAuthenticationHandler gt   quot BasicAuthentication quot   null    public class BasicAuthenticationHandler   AuthenticationHandler lt AuthenticationSchemeOptions gt                private readonly IUserService  userService           public BasicAuthenticationHandler              IOptionsMonitor lt AuthenticationSchemeOptions gt  options              ILoggerFactory logger              UrlEncoder encoder              ISystemClock clock              IUserService userService                base options  logger  encoder  clock                         userService   userService                     protected override async Task lt AuthenticateResult gt  HandleAuthenticateAsync                         if   Request Headers ContainsKey  quot Authorization quot                    return AuthenticateResult Fail  quot Missing Authorization Header quot                 User user   null              try                               var authHeader   AuthenticationHeaderValue Parse Request Headers  quot Authorization quot                     var credentialBytes   Convert FromBase64String authHeader Parameter                   var credentials   Encoding UTF8 GetString credentialBytes  Split new            2                   var username   credentials 0                   var password   credentials 1                   user   await  userService Authenticate username  password                             catch                               return AuthenticateResult Fail  quot Invalid Authorization Header quot                               if  user    null                  return AuthenticateResult Fail  quot Invalid User-name or Password quot                 var claims   new                     new Claim ClaimTypes NameIdentifier  user Id ToString                     new Claim ClaimTypes Name  user Username                              var identity   new ClaimsIdentity claims  Scheme Name               var principal   new ClaimsPrincipal identity               var ticket   new AuthenticationTicket principal  Scheme Name                return AuthenticateResult Success ticket                    IUserService is a service that you make where you have user name and password  basically it returns a user class that you use to map your claims on  var claims   new                     new Claim ClaimTypes NameIdentifier  user Id ToString                     new Claim ClaimTypes Name  user Username                    Then you can query these claims and her any data you mapped  ther are quite a few  have a look at ClaimTypes class you can use this in an extension method an get any of the mappings public int  GetUserId        if  context User Identity IsAuthenticated               var id context User FindFirst ClaimTypes NameIdentifier          if    id is null   amp  amp  int TryParse id Value  out var userId               return userId               return new Nullable lt int gt         This new way  i think is better than the old way as shown here  both work public class BasicAuthenticationAttribute   AuthorizationFilterAttribute       public override void OnAuthorization HttpActionContext actionContext                if  actionContext Request Headers Authorization    null                        var authToken   actionContext Request Headers Authorization Parameter                 decoding authToken we get decode value in  Username Password  format             var decodeauthToken   System Text Encoding UTF8 GetString Convert FromBase64String authToken                   spliting decodeauthToken using                 var arrUserNameandPassword   decodeauthToken Split                      at 0th postion of array we get username and at 1st we get password             if  IsAuthorizedUser arrUserNameandPassword 0   arrUserNameandPassword 1                                     setting current principle                 Thread CurrentPrincipal   new GenericPrincipal new GenericIdentity arrUserNameandPassword 0    null                             else                               actionContext Response   actionContext Request CreateResponse HttpStatusCode Unauthorized                                   else                       actionContext Response   actionContext Request CreateResponse HttpStatusCode Unauthorized                        public static bool IsAuthorizedUser string Username  string Password                   In this method we can handle our database logic here            return Username Equals  quot test quot    amp  amp  Password     quot test quot

User · Answer

For authorization in our app  We had to call a service based on the parameters passed in authorization attribute   For example  if we want to check if logged in doctor can view patient appointments we will pass  View Appointment  to custom authorize attribute and check that right in DB service and based on results we will athorize  Here is the code for this scenario       public class PatientAuthorizeAttribute   TypeFilterAttribute           public PatientAuthorizeAttribute params PatientAccessRights   right    base typeof AuthFilter     PatientAccessRights is an enum               Arguments   new object     right               private class AuthFilter   IActionFilter               PatientAccessRights   right           IAuthService authService           public AuthFilter IAuthService authService  PatientAccessRights   right                        this right   right              this authService   authService                     public void OnActionExecuted ActionExecutedContext context                               public void OnActionExecuting ActionExecutingContext context                        var allparameters   context ActionArguments Values              if  allparameters Count      1                                var param   allparameters First                    if  typeof IPatientRequest  IsAssignableFrom param GetType                                           IPatientRequest patientRequestInfo    IPatientRequest param                      PatientAccessRequest userAccessRequest   new PatientAccessRequest                        userAccessRequest Rights   right                      userAccessRequest MemberID   patientRequestInfo PatientID                      var result   authService CheckUserPatientAccess userAccessRequest  Result    this calls DB service to check from DB                     if  result Status    ReturnType Failure                                                  TODO  return apirepsonse                         context Result   new StatusCodeResult  int System Net HttpStatusCode Forbidden                                                           else                                       throw new AppSystemException  PatientAuthorizeAttribute not supported                                                else                               throw new AppSystemException  PatientAuthorizeAttribute not supported                                      And on API action we use it like this        PatientAuthorize PatientAccessRights PATIENT VIEW APPOINTMENTS     this is enum  we can pass multiple      HttpPost      public SomeReturnType ViewAppointments

User · Answer

You can create your own AuthorizationHandler that will find custom attributes on your Controllers and Actions  and pass them to the HandleRequirementAsync method   public abstract class AttributeAuthorizationHandler lt TRequirement  TAttribute gt    AuthorizationHandler lt TRequirement gt  where TRequirement   IAuthorizationRequirement where TAttribute   Attribute       protected override Task HandleRequirementAsync AuthorizationHandlerContext context  TRequirement requirement                var attributes   new List lt TAttribute gt              var action    context Resource as AuthorizationFilterContext   ActionDescriptor as ControllerActionDescriptor          if  action    null                        attributes AddRange GetAttributes action ControllerTypeInfo UnderlyingSystemType                attributes AddRange GetAttributes action MethodInfo                       return HandleRequirementAsync context  requirement  attributes              protected abstract Task HandleRequirementAsync AuthorizationHandlerContext context  TRequirement requirement  IEnumerable lt TAttribute gt  attributes        private static IEnumerable lt TAttribute gt  GetAttributes MemberInfo memberInfo                return memberInfo GetCustomAttributes typeof TAttribute   false  Cast lt TAttribute gt               Then you can use it for any custom attributes you need on your controllers or actions  For example to add permission requirements  Just create your custom attribute    AttributeUsage AttributeTargets Class   AttributeTargets Method  AllowMultiple   true   public class PermissionAttribute   AuthorizeAttribute       public string Name   get         public PermissionAttribute string name    base  Permission                 Name   name            Then create a Requirement to add to your Policy  public class PermissionAuthorizationRequirement   IAuthorizationRequirement         Add any custom requirement properties if you have them     Then create the AuthorizationHandler for your custom attribute  inheriting the AttributeAuthorizationHandler that we created earlier  It will be passed an IEnumerable for all your custom attributes in the HandleRequirementsAsync method  accumulated from your Controller and Action   public class PermissionAuthorizationHandler   AttributeAuthorizationHandler lt PermissionAuthorizationRequirement  PermissionAttribute gt        protected override async Task HandleRequirementAsync AuthorizationHandlerContext context  PermissionAuthorizationRequirement requirement  IEnumerable lt PermissionAttribute gt  attributes                foreach  var permissionAttribute in attributes                        if   await AuthorizeAsync context User  permissionAttribute Name                                 return                                   context Succeed requirement              private Task lt bool gt  AuthorizeAsync ClaimsPrincipal user  string permission                  Implement your custom user permission logic here           And finally  in your Startup cs ConfigureServices method  add your custom AuthorizationHandler to the services  and add your Policy           services AddSingleton lt IAuthorizationHandler  PermissionAuthorizationHandler gt              services AddAuthorization options   gt                        options AddPolicy  Permission   policyBuilder   gt                                policyBuilder Requirements Add new PermissionAuthorizationRequirement                                   Now you can simply decorate your Controllers and Actions with your custom attribute    Permission  AccessCustomers    public class CustomersController        Permission  AddCustomer        IActionResult AddCustomer  FromBody  Customer customer                  Add customer

User · Answer

As of this writing I believe this can be accomplished with the IClaimsTransformation interface in asp net core 2 and above   I just implemented a proof of concept which is sharable enough to post here   public class PrivilegesToClaimsTransformer   IClaimsTransformation       private readonly IPrivilegeProvider privilegeProvider      public const string DidItClaim    http   foo bar privileges resolved        public PrivilegesToClaimsTransformer IPrivilegeProvider privilegeProvider                this privilegeProvider   privilegeProvider             public async Task lt ClaimsPrincipal gt  TransformAsync ClaimsPrincipal principal                if  principal Identity is ClaimsIdentity claimer                        if  claimer HasClaim DidItClaim  bool TrueString                                 return principal                             var privileges   await this privilegeProvider GetPrivileges                     claimer AddClaim new Claim DidItClaim  bool TrueString                 foreach  var privilegeAsRole in privileges                                claimer AddClaim new Claim ClaimTypes Role    http   schemas microsoft com ws 2008 06 identity claims role      privilegeAsRole                                     return principal            To use this in your Controller just add an appropriate  Authorize Roles  whatever    to your methods    HttpGet   Route  poc     Authorize Roles    plugh blast    public JsonResult PocAuthorization         var result   Json new               when   DateTime UtcNow               result StatusCode    int HttpStatusCode OK       return result      In our case every request includes an Authorization header that is a JWT   This is the prototype and I believe we will do something super close to this in our production system next week   Future voters  consider the date of writing when you vote   As of today  this works on my machine      You will probably want more error handling and logging on your implementation

User · Answer

I m the asp net security person  Firstly let me apologize that none of this is documented yet outside of the music store sample or unit tests  and it s all still being refined in terms of exposed APIs  Detailed documentation is here   We don t want you writing custom authorize attributes  If you need to do that we ve done something wrong  Instead  you should be writing authorization requirements   Authorization acts upon Identities  Identities are created by authentication    You say in comments you want to check a session ID in a header  Your session ID would be the basis for identity  If you wanted to use the Authorize attribute you d write an authentication middleware to take that header and turn it into an authenticated ClaimsPrincipal  You would then check that inside an authorization requirement  Authorization requirements can be as complicated as you like  for example here s one that takes a date of birth claim on the current identity and will authorize if the user is over 18   public class Over18Requirement   AuthorizationHandler lt Over18Requirement gt   IAuthorizationRequirement           public override void Handle AuthorizationHandlerContext context  Over18Requirement requirement                        if   context User HasClaim c   gt  c Type    ClaimTypes DateOfBirth                                 context Fail                    return                             var dateOfBirth   Convert ToDateTime context User FindFirst c   gt  c Type    ClaimTypes DateOfBirth  Value               int age   DateTime Today Year - dateOfBirth Year              if  dateOfBirth  gt  DateTime Today AddYears -age                                 age--                             if  age  gt   18                                context Succeed requirement                             else                               context Fail                                      Then in your ConfigureServices   function you d wire it up   services AddAuthorization options   gt        options AddPolicy  Over18            policy   gt  policy Requirements Add new Authorization Over18Requirement            And finally  apply it to a controller or action method with   Authorize Policy    Over18

User · Answer

Based on Derek Greer GREAT answer  i did it with enums   Here is an example of my code   public enum PermissionItem       User      Product      Contact      Review      Client    public enum PermissionAction       Read      Create      public class AuthorizeAttribute   TypeFilterAttribute       public AuthorizeAttribute PermissionItem item  PermissionAction action        base typeof AuthorizeActionFilter                 Arguments   new object     item  action             public class AuthorizeActionFilter   IAuthorizationFilter       private readonly PermissionItem  item      private readonly PermissionAction  action      public AuthorizeActionFilter PermissionItem item  PermissionAction action                 item   item           action   action            public void OnAuthorization AuthorizationFilterContext context                bool isAuthorized   MumboJumboFunction context HttpContext User   item   action                  if   isAuthorized                        context Result   new ForbidResult                       public class UserController   BaseController       private readonly DbContext  context       public UserController  DbContext context            base                  logger   logger              Authorize PermissionItem User  PermissionAction Read       public async Task lt IActionResult gt  Index                 return View await  context User ToListAsync

User · Answer

The approach recommended by the ASP Net Core team is to use the new policy design which is fully documented here   The basic idea behind the new approach is to use the new  Authorize  attribute to designate a  policy   e g   Authorize  Policy    YouNeedToBe18ToDoThis    where the policy is registered in the application s Startup cs to execute some block of code  i e  ensure the user has an age claim where the age is 18 or older    The policy design is a great addition to the framework and the ASP Net Security Core team should be commended for its introduction   That said  it isn t well-suited for all cases   The shortcoming of this approach is that it fails to provide a convenient solution for the most common need of simply asserting that a given controller or action requires a given claim type   In the case where an application may have hundreds of discrete permissions governing CRUD operations on individual REST resources   CanCreateOrder    CanReadOrder    CanUpdateOrder    CanDeleteOrder   etc    the new approach either requires repetitive one-to-one mappings between a policy name and a claim name  e g  options AddPolicy  CanUpdateOrder   policy   gt  policy RequireClaim MyClaimTypes Permission   CanUpdateOrder      or writing some code to perform these registrations at run time  e g  read all claim types from a database and perform the aforementioned call in a loop    The problem with this approach for the majority of cases is that it s unnecessary overhead   While the ASP Net Core Security team recommends never creating your own solution  in some cases this may be the most prudent option with which to start   The following is an implementation which uses the IAuthorizationFilter to provide a simple way to express a claim requirement for a given controller or action   public class ClaimRequirementAttribute   TypeFilterAttribute       public ClaimRequirementAttribute string claimType  string claimValue    base typeof ClaimRequirementFilter                 Arguments   new object    new Claim claimType  claimValue              public class ClaimRequirementFilter   IAuthorizationFilter       readonly Claim  claim       public ClaimRequirementFilter Claim claim                 claim   claim             public void OnAuthorization AuthorizationFilterContext context                var hasClaim   context HttpContext User Claims Any c   gt  c Type     claim Type  amp  amp  c Value     claim Value           if   hasClaim                        context Result   new ForbidResult                         Route  api resource    public class MyController   Controller        ClaimRequirement MyClaimTypes Permission   CanReadResource         HttpGet      public IActionResult GetResource                 return Ok

User · Answer

The accepted answer  https   stackoverflow com a 41348219 4974715  is not realistically maintainable or suitable because  CanReadResource  is being used as a claim  but should essentially be a policy in reality  IMO   The approach at the answer is not OK in the way it was used  because if an action method requires many different claims setups  then with that answer you would have to repeatedly write something like       ClaimRequirement MyClaimTypes Permission   CanReadResource      ClaimRequirement MyClaimTypes AnotherPermision   AnotherClaimVaue      and etc  on a single action    So  imagine how much coding that would take  Ideally   CanReadResource  is supposed to be a policy that uses many claims to determine if a user can read a resource   What I do is I create my policies as an enumeration and then loop through and set up the requirements like thus     services AddAuthorization authorizationOptions   gt                        foreach  var policyString in Enum GetNames typeof Enumerations Security Policy                                  authorizationOptions AddPolicy                      policyString                      authorizationPolicyBuilder   gt  authorizationPolicyBuilder Requirements Add new DefaultAuthorizationRequirement  Enumerations Security Policy Enum Parse typeof Enumerations Security Policy   policyWrtString   DateTime UtcNow               Note that thisn does not stop you from            configuring policies directly against a username  claims  roles  etc  You can do the usual                                       The DefaultAuthorizationRequirement class looks like     public class DefaultAuthorizationRequirement   IAuthorizationRequirement       public Enumerations Security Policy Policy  get  set     This is a mere enumeration whose code is not shown      public DateTime DateTimeOfSetup  get  set     Just in case you have to know when the app started up  And you may want to log out a user if their profile was modified after this date-time  etc     public class DefaultAuthorizationHandler   AuthorizationHandler lt DefaultAuthorizationRequirement gt        private IAServiceToUse  aServiceToUse       public DefaultAuthorizationHandler          IAServiceToUse aServiceToUse                          aServiceToUse   aServiceToUse             protected async override Task HandleRequirementAsync AuthorizationHandlerContext context  DefaultAuthorizationRequirement requirement                  Here  you can quickly check a data source or Web API or etc              to know the latest date-time of the user s profile modification                       if   aServiceToUse GetDateTimeOfLatestUserProfileModication  gt  requirement DateTimeOfSetup                        context Fail      Because any modifications to user information               e g  if the user used another browser or if by Admin modification               the claims of the user in this session cannot be guaranteed to be reliable                             return                     bool shouldSucceed   false    This should first be false  because context Succeed      has to only be called if the requirement specifically succeeds           bool shouldFail   false    This should first be false  because context Fail            doesn t have to be called if there s no security breach                         You can do anything          await doAnythingAsync              You can get the user s claims               ALSO  note that if you have a way to priorly map users or users with certain claims            to particular policies  add those policies as claims of the user for the sake of ease             BUT policies that require dynamic code  e g  checking for age range  would have to be            coded in the switch-case below to determine stuff                     var claims   context User Claims              You can  of course  get the policy that was hit            var policy   requirement Policy            You can use a switch case to determine what policy to deal with here            switch  policy                        case Enumerations Security Policy CanReadResource                     Do stuff with the claims and change the                       value of shouldSucceed and or shouldFail                                      break              case Enumerations Security Policy AnotherPolicy                     Do stuff with the claims and change the                      value of shouldSucceed and or shouldFail                                       break                     Other policies too               default                   throw new NotImplementedException                          Note that the following conditions are              so because failure and success in a requirement handler              are not mutually exclusive  They demand certainty                      if  shouldFail                        context Fail      Check the docs on this method to              see its implications                                                    if  shouldSucceed                        context Succeed requirement                          Note that the code above can also enable pre-mapping of a user to a policy in your data store  So  when composing claims for the user  you basically retrieve the policies that had been pre-mapped to the user directly or indirectly  e g  because the user has a certain claim value and that claim value had been identified and mapped to a policy  such that it provides automatic mapping for users who have that claim value too   and enlist the policies as claims  such that in the authorization handler  you can simply check if the user s claims contain requirement Policy as a Value of a Claim item in their claims  That is for a static way of satisfying a policy requirement  e g   First name  requirement is quite static in nature  So  for the example above  which I had forgotten to give example on Authorize attribute in my earlier updates to this answer   using the policy with Authorize attribute is like as follows  where ViewRecord is an enum member    Authorize Policy   nameof Enumerations Security Policy ViewRecord       A dynamic requirement can be about checking age range  etc  and policies that use such requirements cannot be pre-mapped to users   An example of dynamic policy claims checking  e g  to check if a user is above 18 years old  is already at the answer given by  blowdart  https   stackoverflow com a 31465227 4974715    PS  I typed this on my phone  Pardon any typos and lack of formatting

[c#] How do you create a custom AuthorizeAttribute in ASP.NET Core?

Examples related to c#

Examples related to asp.net-core

Examples related to asp.net-core-mvc

Examples related to authorization