Having issue with permissions and claim

[gigabytem]

I was trying to implement roles and permissions in my project

these are my Permissions

public enum AquaPermissions : ushort
{
    .....
    [Display(GroupName = "MasterAdmin", Name = "Read masters", Description = "Can list masters")]
    ReadMaster = 3_000,

    [Display(GroupName = "MasterAdmin", Name = "Edit masters", Description = "Can edit masters")]
    EditMaster = 3_001,
   ....
}

and these are my RolesDefinition

 public static readonly List<BulkLoadRolesDto> RolesDefinition = new List<BulkLoadRolesDto>()
 {
     new("SuperAdmin", "Super admin - only use for setup", "AccessAll"),
     new("MasterAdmin","Master Admin - Have access to edit master","EditMaster, ReadMaster")
}

but the permissions are stored in what look like encrypted format (my locale is (IN , eng))

and when I get my token from the user after login , I am getting Permissions claim also in encrypted format.

when I decorate my endpoint with permissions {AquaPermissions.ReadMaster} it is not working I have to hardcode it as the encrypted format ("ஹஸ" ) for it to work is it how it is supposed to work ?

[JonPSmith]

Hi @gigabytem,

I suggest you read the article Finally, a library that improves role authorization in ASP.NET Core which explains how the Roles / Permissions. The AuthP library handles the adding the Permissions to the user's claim, and the HasPermissionAttribute uses ASP.NET Core's policy-based authorization to allow or deny the request.

To answer you question on the Permissions claim contains Unicode characters for all the Permissions that the user. Have a look at the PermissionPacker code if you are interested.

PS. If you are using Blazor or other frontend code, then you might find the IUsersPermissionsService which returns the actual Permission's names (see this section in the documentation). This allows your frontend to show a button depending on whether the user has the correct Permission.

[SoftAdviceJR]

@JonPSmith I'm trying to use AuthP on a WebAPI project and use react as a front end library. We've decided to use Azure AD B2C for authentication.

I have an endpoint decorated with [HasPermissions(PortalPermissions.Read)] and the user has a role which contains this permission. However when I try to access this endpoint I'm getting a 403. I'm guessing this is because we're using the access token supplied by Azure AD, which does not contain the encoded permissions.

What's the recommended way to set this up? I think I should either:

• Check permissions manually, but that would mean checking them every request.
• Use a secondary access token generated by our own WebAPI which does contain the permissions. But it's unclear to me how to set this up? Can this exist side by side with the AddMicrosoftIdentityWebApi authentication?

[JonPSmith]

Hi @SoftAdviceJR,

Its hard to diagnose your problem so I will tell you about how the the built-in Azure AD and WebAPI features work to help you to work out what is wrong. And at the end I suggest some extra things that might help.

Explaining AuthP's Azure AD feature

AuthP has code for Azure AD and an example in the Example5.MvcWebApp.AzureAdB2C app. Adding .AzureAdAuthentication(AzureAdEventSettings.AzureAdDefaultSettings()) which uses this extension method which a) finds the Azure AD user's Id (which isn't obvious - see lines 35 to 39) , and then calls the AuthP ClaimsCalculator to get the other AuthP claims like Permissions, etc.

NOTE: AuthP's Sign up for a new tenant, with versioning doesn't work with Azure AD B2C with social logins.

Explaining AuthP's WebAPI feature

AuthP has code for WebAPI and an example Example2.WebApiWithToken.IndividualAccounts. This uses the TokenBuilder to add the other AuthP claims like Permissions, etc. One very important item is that you need to add JwtSecurityTokenHandler.DefaultOutboundClaimTypeMap.Clear(); to your Program, otherwise the user's Id isn't correct (see line 41 in the Example2's Program).

Your situation

You want to use Azure AD for Authentication and WebAPI to hold the user's claims. Using the AuthP Azure AD and WebAPI features should work (but I haven't tried it). However, you only need the Azure AD user's Id and then the AuthP's WebAPI TokenBuilder's GenerateJwtTokenAsync method will add all the other user's AuthP's claims. That not a problem, but if you are building your own Azure AD Authentication code you only to need the AD user's Id and the AuthP's WebAPI TokenBuilder will add the extra claims.