4,815 questions
ASP.NET Identity Claims - getting started
David Thielen
3,211
Reputation points
Hi all;
First off, among other pages I have read this and this.
I have ASP.NET Identity working well on my Blazor server app for Identification. I'm now on to the Authorization part and have a couple of questions.
My app is handling volunteers for political campaigns. So user A may be an admin for "Dave for President" and "Shirley for Senate" while user B is an admin for "Shirley for Senate" and "Tanya for CD-3".
Because they have an admin claim, they can go to the CreateEvent page. But their specific claims determine both which events they see as well as which they can create events for (just for the campaigns they're an admin of).
So, a couple of questions:
- Is there a good intro anywhere explaining how to set this all up. Both CRUD of the claims as well as then using those to determine if a page can be accessed, and then programmatically limiting data/actions on the page? On Blazor server.
- I found a great example of handling CRUD for the claims (I think it was MVC but that is 90% of the effort for Blazor server) - and I lost it. If you know where this is, please post the link.
- What are the trade-offs of having a single
Claim("admin", "Dave for President;Shirley for Senate")vs having two:Claim("admin", "Dave for President")andClaim("admin", "Shirley for Senate")? - Am I missing anything? Or is this all simply determining access of pages and conditional selection of data and functionality on a page?
- Should I be using Roles at all? Or just Claims?
thanks - dave
Developer technologies | ASP.NET | ASP.NET Core
{count} votes
-
AgaveJoe 30,126 Reputation points2023-05-25T20:32:05.1633333+00:00 Is there a good intro anywhere explaining how to set this all up. Both CRUD of the claims as well as then using those to determine if a page can be accessed, and then programmatically limiting data/actions on the page? On Blazor server
A claim is just a name/value pair that further describes a user. I think you are looking for Claims-based authorization in ASP.NET Core, Policy-based authorization in ASP.NET Core, or Resource-based authorization in ASP.NET Core. Keep in mind, Blazor has components not pages.
What are the trade-offs of having a single
Claim("admin", "Dave for President;Shirley for Senate")vs having two:Claim("admin", "Dave for President")andClaim("admin", "Shirley for Senate")?The second example is easily queried while the first example is much harder to query.
Am I missing anything? Or is this all simply determining access of pages and conditional selection of data and functionality on a page?
I have no idea what you're thinking obviously but the authorization rules are logic that you must design. Frankly, the number ways to implement this are infinite.
Should I be using Roles at all? Or just Claims?
To me an admin is a role. A claim is like an email address or birthdate. Also, Identity has a RoleClaims table which is useful if roles have claims.
I would rethink the design. Campaigns are time bound and therefore probably not good candidates for a claim or a role. I would design a data driven solution. A campaign table describes each of the campaigns. User accounts are added to the campaign (UserCampaign table) which makes it much easier to partition the data using scripts or LINQ. The user can only see the campaigns the user belongs to because the data is filtered by a join. Since campaigns end, the campaign table can have an end date column. Now you can filter by active campaigns and still see history. I think a data driven approach will simplify the authorization logic.
-
David Thielen 3,211 Reputation points
2023-05-26T19:10:53.0633333+00:00 thank you
-
David Thielen 3,211 Reputation points
2023-05-26T19:12:40.35+00:00 thank you
-
David Thielen 3,211 Reputation points
2023-05-27T14:16:42.1233333+00:00 In the first linked article, where it shows how to limit access using:
[Authorize(Policy = "EmployeeOnly")]Does that work in Blazor or is this for MVC? It says razor files but I think it’s MVC razor files, not Blazor.
And same question for the other two links - aren’t they also for MVC apps?
thanks - Dave
-
AgaveJoe 30,126 Reputation points
2023-05-27T15:18:21.2066667+00:00 Does that work in Blazor or is this for MVC?
Blazor components use the syntax; @attribute [Authorize(Policy = "EmployeeOnly")].
And there's the an AuthorizeView component.
In my opinion, Blazor WASM, MVC, or Razor Pages is a better framework for this project.
-
David Thielen 3,211 Reputation points
2023-05-28T07:35:46.3666667+00:00 In my opinion, Blazor WASM, MVC, or Razor Pages is a better framework for this project.
They might work better with the Identity package. But I'd never let one component force the approach for an entire app. And for the rest of my application Blazor server is a dream. Damn close to perfect.
Thank you for the link.
- dave
-
AgaveJoe 30,126 Reputation points
2023-05-31T13:55:38.7633333+00:00 But I'd never let one component force the approach for an entire app.
Well, that one component is the application's authentication/authorization API.
Sign in to comment
Sign in to answer