CS296N Web Development 2: ASP.NET             
                                

Claims Based Authentication

Topics by week
1. Intro to course and Identity
6. Performance and Load testing
2. Authentication and Authorization 7. Creating a Web Service
3. Claims Authentication / 3rd Party Authentication
8. Consuming a Web Service, Async / Await
4. Security and Security Testing
9. Docker Containers
5. Midterm, Publishing to a Linux Server 10. Microservices

Contents


Introduction

Discussion and Announcements

  • Discuss lab 2 PRs and code reviews
  • Review quiz 2

Overview

This week your will learn how to use ASP.NET Core Identity for two advanced types of authorization:

  • Claims based authorization
    • Claims
    • Policies
  • Third Party Authorization

Claims and Policies

Claims

A claim is some item of information about a user. For example: where they work, their birthdate, licenses they have, date of hire, degrees. The username and role are even claims. In addition, claims include the atuhority that issued them. Claims can come from sources other than the web app itself, such as some third-party authentication provider.

Note: Freeman doesn't explain the concepts behind claims until page 960 - after describing how to make the app!

Policies

Claims do not directly equate to permissions. Permissions (auhtorization) is determined by applying policies.

Exmaple of a policy services.AddAuthorization(opts => {
  opts.AddPolicy("DCUsers", policy => {
    policy.RequireRole("Users");
    policy.RequireClaim(ClaimTypes.StateOrProvince, "DC");
  });
});

Authorizing using a policy
[Authorize(Policy = "DCUsers")]
public IActionResult OtherAction() => View("Index",
GetData(nameof(OtherAction)));


Textbook Example (Freeman, Ch. 30)

Note: This version of the Users web app does not seed the Identity database with an Admin accout. All the code is there to do it except the line in Startup.Configure that calls AppIdentityDbContext.CreateAdminAccount. You can refer to the Ch. 29 version of this app to see that line of code.

Comment: In order to demonstrate a source of claims other than the app itself (the local authority), the author simulates messages coming from a central HR database in the form of a ClaimsPrinciple object which is passed to LocationClaimsProvider.TransformAsync, that transforms it into a claim. Note that this is not the only way to create claims!

Structure of the Textbook Web App

  • /Home - Shows details on the currently logged in user
    • Index - requires login, has [Authorize] attribute
    • OtherAction - same as above, has [Authorize(Roles="Users")] attribute
    • NotBob - used to test a policy which blocks the user named Bob
    • UserProps - allows editing city and qualifications
  • /Admin - shows a list of users with buttons for:
    • Create - create user account
    • Edit
    • Delete
  • /Account
    • Login
    • Logout
  • /RoleAdmin - show all roles and the users with buttons for:
    • Create - create a role
    • Edit - add users to roles
    • Delete
  • /Document - show all documents
  • /Claims - show all claims

BookInfo Example

I will add the following claims:

  • Type: PostedBooks, Value: number of books
  • Type: Age, Value: birthdate

Resources

Textbook

Freeman, Pro ASP.NET Core MVC 2
Ch. 30 - Advanced ASP.NET Core Identity

Tutorials


Conclusion

  • Review lab due dates on Moodle
  • Next time we will look at the HTTP concepts underlying Identity and how to test our sites to see how secure they are.