I am a fan of separating authorization logic and business logic – that’s why I favour the claims-based authorization manager approach. That’s also why I wrote the ClaimsAuthorize filter.
If you don’t want to go down the route of a full fledged authorization manager but use the scopes concept from OAuth2 (see here), here’s a simplified approach:
public class IdentityController : ApiController
{
/// <summary>
/// Returns the claims of the current principal
/// </summary>
[Scope("read")]
public IEnumerable<ViewClaim> Get()
{
var principal = Request.GetClaimsPrincipal();
return ViewClaims.GetAll(principal);
}
/// <summary>
/// Update identity data
/// </summary>
[Scope("write", "update"]
public void Put()
{
}
}
The [Scope] attribute is an authorization filter that simply checks for the existence of scope claims with the specified value.
That’s a really simple approach to coarse grained authorization that goes well together with access tokens coming from an (our) authorization server. You can of course mix that with an authorization manager if you like.
The attribute is part of IdentityModel. The sample above can be found here.
Filed under: AuthorizationServer, OAuth, WebAPI
