Policy which requires data from the request body, query

[damienbod]

I have requirements which requires me to return a 401 or 403 if the request identity is not allowed to access a resource. The resource id is sent in the request in the body or as an id in the query string.

Can I implement this in a Policy, AuthorizationHandler, IAuthorizationRequirement? How can I access the body, querystring?

Or do I have to use ActionFilters to support this?

If not what is the recommended way to support this?

[epignosisx]

The last section of this doc page covers it:

https://docs.microsoft.com/en-us/aspnet/core/security/authorization/policies#security-authorization-policies-based-authorization-handler

[damienbod]

@epignosisx This does not work for the post with data in the body. So it looks like I have to use ActionFilters to implement my security logic instead of Policies with the AuthorizationFilter. Correct?

[epignosisx]

You should be able to access the HttpContext once you cast the resource to AuthorizationFilterContext. See below.

protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, SomeRequirement requirement)
{
    if (context == null)
        throw new ArgumentNullException(nameof(context));
    if (requirement == null)
        throw new ArgumentNullException(nameof(requirement));

    var authFilterCtx = (Microsoft.AspNetCore.Mvc.Filters.AuthorizationFilterContext)context.Resource;
    var httpContext = authFilterCtx.HttpContext;
     ...
}

[Eilon]

Looks like this is now answered again. Thanks for the help @epignosisx !