asp.net identity 2 - Custom authorization with Azure AD Authentication in OWIN Web API -
we using azure ad authentication 1 of our client application. want implement claims based authorization along it.
our application set angular based client app connecting web api (both client server secured using azure ad bearer authentication). server application hosted using owin.
we need provide custom authorization on server side. there provision in azure ad adding users , roles. however, not enough us. our user management through ad & security groups. gain access application, users need part of base group , further rights (access particular section of application, edit specific entity etc.) assigned based on additional groups or given directly users in application. essentially, not users registered in application , may have query ad using graph api check application specific groups belong.
owin authentication , authorization model based on authentication server , resource server. can separate them on need basis. however, in our case, need split authentication , authorization. when client presents bearer token, need verify if token valid , add claims user profile. need cache user claims not hit database frequently. (our client app make multiple web api calls in 1 user action.)
what location in identity 2.0
- i can verify token &
- insert application specific claims
if entire application revolves around user authorization , queries need filtered on data user can access, more suitable design pattern web api application?
i believe you're looking authentication , authorization filters in asp.net web api 2.0 stack.
you can implement per-web method authorization implementing system.web.http.filters.iauthorizationfilter on attribute class, decorate web action methods of service controller attribute. web api 2.0 select method based on url routing, notice there attribute on method implementing iauthorizationfilter, , call executeauthorizationfilterasync method on attribute instance before calling web method. placing authorization step before web method invocation allows invalid requests discarded quickly, before getting heavy lifting of parameter binding.
the incoming token validated iauthenticationfilter implementation executes before authorization step.
documentation , examples extremely hard find. here's 1 of few search results relevant: http://thegrumpycoder.com/post/105427070626/secure-web-services-with-web-api-and-sitecore
Comments
Post a Comment