LiteApi - Authorization

LiteApi authorization can be done with multiple attributes, custom filters and policies. All authorization attributes are located in LiteApi.Attributes namespace, and their names are starting with Require.... All attributes can be applied multiple times on class (controller) level as well as on individual method (action) level. Note that LiteApi does not care how you authenticate your users, it only worries about authorization, so you can use cookie base authentication or JWT authentication or any other type of authentication that can be plugged in into ASP.NET Core app.

Claim based filter attributes:

Following claim based attributes are available

  • RequiresClaimsAttribute(params string[] claims) is used to check that user has all of the specified claim types, it does not check for values of the claims.
  • RequiresClaimWithValuesAttribute(string claimType, params string[] claimValues) is used to check that user has claim with specified values (one or more values).
  • RequiresClaimWithAnyValueAttribute(string claimType, params string[] claimValues) is used to check that user has claim of specified type with at least one of the specified values.
  • RequiresAnyClaimAttribute(params string[] claims) is used to check that user has at least one of the specified claim types, values are not checked.

Role based filter attributes:

Roles are based on claims (check docs), so following attributes are just abstraction over claims:

  • RequiresRolesAttribute(params string[] roles) is used to check that user has all of the specified roles.
  • RequiresAnyRoleAttribute(params string[] roles) is used to check that user has any of the specified roles.

Other attributes:

  • RequiresAuthenticationAttribute() is used to check that user is authenticated.
  • SkipFiltersAttribute() can be used to skip authorization on method (action) level even if authorization is required on class (controller) level.
  • RequiresAuthorizationPolicyAttribute(string policyName) more on this in next section

Policy based authorization

Policy authorization can be required with RequiresAuthorizationPolicyAttribute (string policyName) on controller or action level. To register a policy you need to use method AddAuthorizationPolicy(string name, Func<ClaimsPrincipal, bool> policy) in LiteApiOptions class when registering middleware in Startup.cs. For example this way you can register Over18 policy:

// Startup.cs file
app.UseLiteApi(LiteApiOptions.Default  
    .AddAuthorizationPolicy("Over18", user =>
    {
        // extension method, you would need to add "using LiteApi;" to use it.
        int? value = user.Claims.GetFirstNullableInt("Age");
        return value.HasValue && value.Value >= 18;
    })
    // .AddAuthorizationPolicy("AnotherPolicy", user => // ...
    );

Custom authorization attibute

You can implement your own custom authorization filter attribute by implementing IApiFilter or IApiFilterAsync interface. Both interfaces are located in LiteApi.Contracts.Abstractions namespace. Here is a sample:

[AttributeUsage(AttributeTargets.Method)]
private class UserHasAnyTwoClaimsFilterAttribute : Attribute, IApiFilter  
{
    public ApiFilterRunResult ShouldContinue(HttpContext httpCtx)
    {
        var userIsAuthenticated = httpCtx?.User?.Identity.IsAuthenticated ?? false;
        if (!userIsAuthenticated) return ApiFilterRunResult.Unauthenticated;

        return httpCtx.User.Claims.Count() > 1
            ? ApiFilterRunResult.Continue
            : ApiFilterRunResult.Unauthorized;
    }
}

You can also check authorization sample on GitHub repo.