{"id":6284,"date":"2016-03-15T16:50:42","date_gmt":"2016-03-15T16:50:42","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/webdev\/?p=6284"},"modified":"2021-11-01T05:18:32","modified_gmt":"2021-11-01T12:18:32","slug":"get-started-with-asp-net-core-authorization-part-1-of-2","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/dotnet\/get-started-with-asp-net-core-authorization-part-1-of-2\/","title":{"rendered":"Get Started with ASP.NET Core Authorization &#8211; Part 1 of 2"},"content":{"rendered":"<p>After learning about Authentication in ASP.NET Core, our intrepid reporter <a href=\"https:\/\/channel9.msdn.com\/Blogs\/Seth-Juarez\" target=\"_blank\" rel=\"noopener noreferrer\">Seth Juarez<\/a> wanted to dig deeper into the ASP.NET Authorization story.\u00a0 In the following video, he speaks with ASP.NET Security Analyst <a href=\"https:\/\/twitter.com\/blowdart\" target=\"_blank\" rel=\"noopener noreferrer\">Barry Dorrans<\/a>.\u00a0 Notes and links from their discussion follow.<\/p>\n<div style=\"text-align: center;\">\n  <iframe width=\"540\" height=\"320\" src=\"https:\/\/channel9.msdn.com\/Blogs\/Seth-Juarez\/ASPNET-Core-Authorization-with-Barry-Dorrans\/player\" allowfullscreen><\/iframe>\n<\/div>\n<p>Authorization verifies that a user is permitted to access functionality, and requires some form of authentication in front of it.\u00a0 Authentication confirms a user&#8217;s identity.<\/p>\n<p>Barry pointed out that many developers in older versions of ASP.NET implemented their own <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/system.web.mvc.authorizeattribute(v=vs.118).aspx\" target=\"_blank\" rel=\"noopener noreferrer\">AuthorizeAttribute<\/a>, and did not fully implement the entire specification.\u00a0 In ASP.NET Core, there is an authorize attribute, and it is a marker attribute that performs no actions.<\/p>\n<p>Source code and samples discussed in this video were previously shared in a workshop Barry presented and are online at: <a href=\"https:\/\/github.com\/blowdart\/AspNetAuthorizationWorkshop\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/github.com\/blowdart\/AspNetAuthorizationWorkshop<\/a><\/p>\n<p>Authorization capabilities for ASP.NET Core are added and configured through the use of the <a href=\"https:\/\/www.nuget.org\/packages\/Microsoft.AspNet.Authorization\/1.0.0-rc1-final\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft.AspNet.Authorization<\/a> NuGet package.\u00a0 The middleware used to handle cookies is delivered in the <a href=\"https:\/\/www.nuget.org\/packages\/Microsoft.AspNet.Authentication.Cookies\/1.0.0-rc1-final\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft.AspNet.Authentication.Cookies<\/a> package.\u00a0 These packages are included by default in the ASP.NET project templates that have security enabled.<\/p>\n<p>There are two HTTP Status Codes that are very important in web security:<\/p>\n<ul>\n<li>HTTP 401 &#8211; Unauthorized: the current user is not authenticated<\/li>\n<li>HTTP 403 &#8211; Forbidden: the current user is authenticated by is denied access<\/li>\n<\/ul>\n<p>The default MVC templates are configured to redirect HTTP 401 responses to a login page that will then return the logged-in user to the previously unauthorized page.<\/p>\n<p>Cookie Authentication has five options:<\/p>\n<ul>\n<li>AuthenticationScheme &#8211; a string that identifies the authentication provider.\u00a0 &#8216;Cookie&#8217; and &#8216;Bearer&#8217; are currently supported<\/li>\n<li>LoginPath &#8211; the path to the login page<\/li>\n<li>AccessDeniedPath &#8211; the path to the error page to show when the user is not authorized to access<\/li>\n<li>AutomaticAuthenticate &#8211; Run on every request and attempt to identify a user from a cookie&#8217;s contents<\/li>\n<li>AutomaticChallenge &#8211; Automatically redirect a 401 or 403 error to the appropriate path<\/li>\n<\/ul>\n<p>There is a new AuthorizationPolicy capability in ASP.NET Core that can be defined to require authenticated users and Barry demonstrated how to use this policy in an MVC filter.\u00a0 The AuthorizationPolicy and Filter can then be bypassed in the controllers that allow anonymous users with the new AllowAnonymous attribute.<\/p>\n<p>Everything about our identity in ASP.NET Core is now claims-based.\u00a0 That is: all attributes of the identity are defined as separate claims on the identity object.\u00a0 Barry went on to explain that a principal can be composed of multiple identities.\u00a0 The comparison is this: a principal is a unique individual but they may have multiple identification cards such as their driver&#8217;s license, passport, or employee id badge.\u00a0 Those identification cards are their identity to those issuing organizations, just like your Twitter, Facebook, or Microsoft Account ID.<\/p>\n<p>Barry showed us that the redirecturl querystring passed to our login page needs to verify that the url passed in local to our application, otherwise links could be constructed to bounce through your site that look like your visitors are visiting your application and are actually redirected to somewhere outside of your application.<\/p>\n<p>One authorization strategy that was discussed by Barry and Seth is a secondary authentication when a user attempts to perform a task that requires an additional level of authorization.\u00a0 Instead of simply rejecting a user as not allowed to access and administrative feature, you could configure your application to prompt for a two-factor authentication token or some additional piece of information.<\/p>\n<p>The Authorize attribute now supports defining requirements for access using both roles or a policy.\u00a0 The policies can be defined in code outside of the project and can inspect the identity for claims to compare against or they can execute any arbitrary code to test against.<\/p>\n<p>Barry also clarified that MVC controllers with multiple Authorize attributes decorating them are all required to be met in order to grant access to the controller&#8217;s actions.<\/p>\n<p>More details about ASP.NET Core security can be found at <a href=\"http:\/\/docs.asp.net\" target=\"_blank\" rel=\"noopener noreferrer\">docs.asp.net<\/a><\/p>\n<p>In the next video in this series, Barry and Seth will discuss more complex authorization scenarios.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>After learning about Authentication in ASP.NET Core, our intrepid reporter Seth Juarez wanted to dig deeper into the ASP.NET Authorization story.\u00a0 In the following video, he speaks with ASP.NET Security Analyst Barry Dorrans.\u00a0 Notes and links from their discussion follow. Authorization verifies that a user is permitted to access functionality, and requires some form of [&hellip;]<\/p>\n","protected":false},"author":405,"featured_media":58792,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[197,7509],"tags":[123],"class_list":["post-6284","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-aspnet","category-aspnetcore","tag-security"],"acf":[],"blog_post_summary":"<p>After learning about Authentication in ASP.NET Core, our intrepid reporter Seth Juarez wanted to dig deeper into the ASP.NET Authorization story.\u00a0 In the following video, he speaks with ASP.NET Security Analyst Barry Dorrans.\u00a0 Notes and links from their discussion follow. Authorization verifies that a user is permitted to access functionality, and requires some form of [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/6284","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/users\/405"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/comments?post=6284"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/6284\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media\/58792"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media?parent=6284"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/categories?post=6284"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/tags?post=6284"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}