Are Claims the best way to handle programmatic logic determining what is displayed?

David Thielen 2,281 Reputation points
2023-05-07T08:15:30.41+00:00

I am writing an application to manage volunteers for political campaigns. This is a lot more complicated than any past multi-tenant app I've written and so am asking for guidance here to if claims are the best way to handle this. And if so, any guidance to the implementation.

First off you have admins, managers, & volunteers. They each have different things they can see and do. But in addition, they are limited to one or a small set of campaigns. For example, the admin for a state legislative campaign in New Jersey has no access at any level to a senate race in Colorado.

While there are some web pages where you must be an admin or manager, most of the limitations, including the admin only pages, limit what specifics are displayed on the page. Every manager can go to the "create a volunteer event" page. But they are all limited to only seeing existing and creating new events for the campaign they manage.

Oh, and some user will be an admin and/or manager for several campaigns. And most volunteers will be a volunteer on several campaigns.

So...

  1. Are claims the way to go on this?
  2. And to implement this, I have the ASP.NET Core Identity incorporated into my system with Identification(login) working. So I would use the claims part of this - correct?
  3. Do I then create for each user a bunch of claims like Claim(admin, "Dave for Pres")?
  4. Do I then write my queries to FindAll(ev => ev.Campaign.Name == claim.name) to populate the existing events?
  5. This means I'm creating all these claims as people get/lose rights and map them to the campaigns. So I need to keep them in sync.
    1. And no need to create a claim that would be given to every user. For that, just require an authenticated user - correct?
  6. Am I missing anything?

The alternative is each campaign object has a collection of admins, managers, and volunteers.

  • Advantage - the "claim" is a part of the campaign object and so no need to sync.
  • Disadvantage - the "claim" has moved for the Identity system to a business object.
  • Any other advantages/disadvantages?

thanks - dave

Blazor
Blazor
A free and open-source web framework that enables developers to create web apps using C# and HTML being developed by Microsoft.
1,403 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. David Thielen 2,281 Reputation points
    2023-05-08T14:05:46.2933333+00:00

    I asked ChatGPT and got what seems to be a solid answer:

    It seems like claims-based authorization is a good fit for your use case. Claims offer a flexible way to define roles and permissions for users, which would be beneficial for handling complex multi-tenant applications such as your political campaign volunteer management system. I'll address your questions and concerns one by one:

1. Yes, you can use the claims-based authorization feature of ASP.NET Core Identity for this purpose.

2. You can create claims for each user to represent their roles and campaign associations, such as `Claim("Role:Admin", "Dave for Pres")` or `Claim("Role:Manager", "Jane for Senate")`. You can also consider using a combination of roles and policy-based authorization to manage access to different parts of your application.

3. For querying, you can filter the results based on the claims the user has. For example, if a user has the claim `Claim("Role:Manager", "Jane for Senate")`, you can fetch events that belong to the "Jane for Senate" campaign.

4. Yes, you'll need to manage claims as users gain or lose rights and campaigns. You can store the claims in the user management system and update them as needed.

5. You're correct, if a particular feature or page should be accessible to any authenticated user, you can simply require the user to be authenticated, without checking for specific claims.

6. As for the alternative approach, where each campaign object has a collection of admins, managers, and volunteers, there are some pros and cons:

   Pros:
   - Simplified data model, as permissions are stored directly within the campaign object.
   - No need to manage synchronization between claims and campaign data.

   Cons:
   - Less flexible compared to claims-based authorization, which allows for more granular control of user permissions.
   - Role management becomes part of the business logic rather than a separate identity management system.

In summary, using claims-based authorization with ASP.NET Core Identity should provide you with the flexibility and granularity needed to manage user permissions in your multi-tenant political campaign volunteer management application. It might require some additional effort to keep claims and campaign data in sync, but the advantages of this approach in terms of flexibility and separation of concerns make it a good choice for your use case.
    0 comments
  2. Bruce (SqlWork.com) 56,931 Reputation points
    2023-05-08T21:17:54.63+00:00

    the main limitation is the number of claims that can be contained in an access token. also a claim is just a claim name and value.

    you probably want the claims in the campaign database.

    Campaigns -> Users -> UserRoles

    if a request includes the campaign id, you could use middleware to load the user roles/claims. This would allow the use of the Authorize attributes.

    a request without a campaign id would be like anonymous access.