search

casbin-net / casbin-aspnetcore

Casbin.NET integration middleware and sample code for ASP.NET Core
https://github.com/casbin/Casbin.NET
Apache License 2.0
64 stars 20 forks source link

Use CasbinAuthorize attribute on ApiController #21

Closed thoraj closed 3 years ago

thoraj commented 3 years ago

I'm trying to use Casbin to control access to an api implemented using ApiController. The API uses Jwt bearer tokens.

Will this work with the CasbinAuthorize attribute?

Replacing the standard Authorize(Policy="...) attribute with CasbinAuthorize() does not seem to work. Checking the ClaimsIdentity inside a RequestTransformer shows that the User is not authenticated, and the claims array is empty.

Furthermore I'm redirected to login and gets a 404, instead of the expected 401 error.

So I'm wondering if the CasbinAuthorize attribute is supposed to work for thins kind of use-case?

If not, are there plans to cover use cases with bearer tokens?

hsluoyz commented 3 years ago

@Sagilio

thoraj commented 3 years ago

The redirect is because of config issues in my Startup.cs

But it would be good to know whether you believe the Middleware and CasbinAuthorize attribute should work OK when using bearer token authentication.

thoraj commented 3 years ago

Seems to be working with bearer token , but I have to use both standard and casbin attribute:

[Authorize]
[CasbinAuthorize]
public IActionResult MyAction(...)

Is this intended?

sagilio commented 3 years ago

Is this code work? :

[CasbinAuthorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
public IActionResult MyAction(...)
sagilio commented 3 years ago

Seems to be working with bearer token , but I have to use both standard and casbin attribute:

[Authorize]
[CasbinAuthorize]
public IActionResult MyAction(...)

Is this intended?

No. Now, casbin middleware does not read the default policy or fallback policy in AuthorizationOptions, So it will not use the AuthenticationSchemes in the default policy. But, I think we should not read those policies, we will provide AuthenticationSchemes options for this case.

thoraj commented 3 years ago

I tried [CasbinAuthorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]

And it works. I don't need the extra [Authorize] attribute, and I get 401 when token is missing as expected.

Then I removed AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme And it still works. Now I'm not able reprodue the issue.

github-actions[bot] commented 3 years ago

:tada: This issue has been resolved in version 0.2.0 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket: