I have the following entities:
public class Company {
public Int32 CompanyId { get; set; }
public String Name { get; set; }
}
public class Project {
public Int32 ProjectId { get; set; }
public String Name { get; set; }
public virtual Company { get; set; }
}
public class ProjectUser {
public Int32 UserId { get; set; }
public String ProjectId { get; set; }
}
public class User {
public Int32 UserId { get; set; }
public String Name { get; set; }
}
I need to create an Api endpoint to get a Company's Projects:
companies/{companyId}/projects
This url makes sense but returning projects should be restricted to:
Projects, in provided company, where current authenticated user is associated (ProjectUser);
OR
All projects, in provided company, if current authenticated user is system admin.
Question
So this request depends on the authenticated user ...
Should I send the UserId in the request and then check its permissions in the API?
If yes, how would the url, e.g. companies/{companyId}/projects, become?
Or should I simply get the authenticated User and checks its permissions in the API without sending the UserId in the Request?
The latter. Your request should be authorized, most likely via sending the Authorization header with a previously obtained access token. You should not nor do you need to send the user id along with the request. That would be obtained via the user principal, specifically via the NameIdentifier claim. As for your resource-level authorization, you'll use the user id obtained from the principal to ensure that the authenticated user has access to said resource, most normally via a foreign key on the resource itself. The docs have a more extensive guide.
Related
I am using .Net Core Identity 5, I did add Role for the user when registering the account. I want when I Edit the user information of that account, I can change their Role in the system.
I am working in Repo, how can I work with it most effectively?
Viewmodel
public class UserRoleViewModel
{
public string UserId { get; set; }
public string FullName { get; set; }
public string Email { get; set; }
public string Role { get; set; }
}
I have an app that uses Google Authentication to sign in. After getting the user id token, I need to get this information from the user's profile:
Email
FullName
Profile Picture.
I've seen an example using this endpoint:
https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=ID
But this endpoint is not worked for me.
How can I get these profile information?
Can you try this URL : https://www.googleapis.com/oauth2/v3/userinfo?access_token=access_token.
This URL will return following Information
public class GoogleAuthClass
{
public string email { get; set; }
public bool email_verified { get; set; }
public string name { get; set; }
public string picture { get; set; }
}
You could use the Plugin.GoogleClient nuget and follow this Tutorial.
You will be able to access all the properties from the Google API and manage them as you require.
NOTE: This tutorial uses Firebase Auth.
More information can be seen at:
https://www.xamboy.com/2019/11/19/social-media-authentication-google-login-in-xamarin-forms/
I know this is an old question, but could not find an answer for ASP.Net Core. I have ASP.Net Core web api application with role-based membership. Suppose we have an enitity from database with such fields:
public class Transaction
{
public int Id { get; set;}
public string UserId { get; set; }
public string ManagerId { get; set; }
public decimal Amount { get; set; }
}
And controller action:
[Authorize(Roles = "Admin,Manager,RegularUser")]
public async Task<IActionResult> Transactions(TransactionsRequest request)
{
var response = await _repository.Find(request, User);
return Ok(response);
}
My goal is to query and return partial result based on a role:
For Admin role I need to return all transations with all fields
For Manager role I need to return trasactions for current manager (based on managerId) without UserId field
For RegularUser role I need to return trasactions for current user (based on userId) without ManagerId field
I think it is simple to make three different actions, each one for specific role. But what if my role number will grow?
What would be best practice to determine what I should store in the identity claim object versus in a separate table. For example, let's say that each user needs to have access to multiple sites. See object below:
public class Site
{
public int SiteID { get; set; }
public string Name { get; set; }
public string Url { get; set; }
}
Should i store the Site object as a Serialized Claim or should I create database table for it, as well make the Site object a property of the Application User class of Microsoft.AspNet.Identity framework.
public class ApplicationUser : IdentityUser
{
public Site[] Sites {get; set;}
}
I am using a custom MembershipProvider (using EF, rather than Sql) with a SL4 business application.
The default implementation of the MembershipUser class has an e-mail address property, however the User object defined by the SL4 Business Application template (inheriting from UserBase )does not give you access to the Email property.
Moreover when the AuthenticationService (inheriting from AuthenticationBase<User>) does not even attempt to read the user's e-mail.
Is there a way to access the Email property of the MembershipUser(server side)/User(client side) by using the AuthenticationService, or do I have to create my own routines to return the right properties of the user?
Thanks,
Martin
You can create your own User class as long as you implement IUser.
public class User : IUser
{
public int Id { get; set; }
public string UserName { get; set; }
public string Password { get; set; }
public string Email { get; set; }
#region Implementation of IUser
public string Name { get; set; }
public IEnumerable<string> Roles { get; set; }
#endregion
}
You can modify the AuthenticationService to Implement IAuthentication<User> and implement Login. As part of your implemented Login process you can populate the User.Email.
public class AuthenticationService : DomainService, IAuthentication<User>
{
public User Login(string userName, string password, bool isPersistent, string customData)
{
//can populate User.Email on successful login.
}
}