How can I implement Claims-Based Authorization with ASP.NET WebAPI without using Roles?
You can achieve that if you override the Authorize
attribute. In your case it should be something like this:
public class ClaimsAuthorize : AuthorizeAttribute{ public string SubjectID { get; set; } public string LocationID { get; set; } protected override bool IsAuthorized(HttpActionContext actionContext) { ClaimsIdentity claimsIdentity; var httpContext = HttpContext.Current; if (!(httpContext.User.Identity is ClaimsIdentity)) { return false; } claimsIdentity = httpContext.User.Identity as ClaimsIdentity; var subIdClaims = claimsIdentity.FindFirst("SubjectId"); var locIdClaims = claimsIdentity.FindFirst("LocationId"); if (subIdClaims == null || locIdClaims == null) { // just extra defense return false; } var userSubId = subIdClaims.Value; var userLocId = subIdClaims.Value; // use your desired logic on 'userSubId' and `userLocId', maybe Contains if I get your example right? if (!this.SubjectID.Contains(userSubId) || !this.LocationID.Contains(userLocId)) { return false; } //Continue with the regular Authorize check return base.IsAuthorized(actionContext); } }
In your controller that you wish to restrict access to, use the ClaimsAuthorize
attribute instead of the normal Authorize
one:
[ClaimsAuthorize( SubjectID = "1,2", LocationID = "5,6,7")][RoutePrefix("api/Content")]public class ContentController : BaseController{ ....}