Implement custom authorization policy provider for ASP.NET Core apps using Amazon Verified Permissions

This is a sample asp.net core application with a custom authorization policy provider which makes use of Amazon Verified Permissions API to evaluate authorization requirements and obtain authorization result.

Blog reference: Implement custom authorization policy provider for ASP.NET Core apps using Amazon Verified Permissions

The Architecture

• The sample asp.net core application uses a SQLite database to store entities and uses Amazon Verified Permissions as the centralized authorization service and authorization policy repository.

• When a user shares a to-do list with another user, the application creates a template-linked policy based on the shared access policy templates (TodoListSharedAccessPolicyTemplate / TodoListSharedAccessWithResharePolicyTemplate)

Prerequisites

To test the sample application, you need:

• An AWS account
• Access to the following AWS services: Amazon Verified Permissions.
• Policy Store created on Amazon Verified Permissions
• Node.js installed
• AWS CDK installed
• .NET 6.0 SDK installed
• JetBrains Rider or Microsoft Visual Studio 2017 or later (or Visual Studio Code)

Deployment

To deploy the policy store on AWS:

• Build TinyTodo.CDK project

C:\Dev\customauthpolicyproviderdemo\TinyTodo.CDK>dotnet build

• Deploy the CDK project

C:\Dev\customauthpolicyproviderdemo\TinyTodo.CDK>cdk deploy

• Copy the policy store and policy template ids from the CDK output

• Update the appsettings.json file in TinyTodo.Web project

Testing

Run TinyTodo.Web project

Resource based authorization

Create and share a sample todo list

• Login as user1@example.com (with any password), go to 'My Todo Lists' page.
• Create a to-do list
• Share it with user2@example.com (Leave 'Allow Reshare' option unchecked)
• Log out

Check the template-linked policy created

• Login to Amazon Verified Permissions Console
• Select the application's policy store
• You can see that a new template-linked policy is created (linked to the policy template TodoListSharedAccessPolicyTemplate)

Verify the user permissions on the shared to-do list

• Login as user2@example.com (with any password), go to 'My Todo Lists' page.
• You can see the to-do list shared by user1@example.com
• Try resharing the to-do list with another user (user3@example.com), you should see an error message as the above mentioned template-linked policy grants permissions only to add items to the todo list.

Attribute-based authorization

• Login as user2@example.com (with any password), go to 'My Todo Lists' page.
• You can see the to-do list shared by user1@example.com
• Try deleting the to-do list or sharing with anothe user (user3@example.com), you should see an error message (as limited by the policy AllowActionsOnUserTodoListsPolicy)

Role-based authorization

• Login as user1@example.com (with any password), try visiting 'Admin' page.
• You should see an error page (as limited by the policy AdminModuleAccessPolicy)
• Logout
• Login as admin@example.com (with any password), try visiting 'Admin' page.
• You should see the admin page without any errors

Reset the sample application

• To reset the application, just rename/delete the TinyTodoDatabase.db file in TinyTodo.Web project

Resources

• Cedar policy language
• Amazon.CDK.AwsVerifiedpermissions

References

• Using Open Source Cedar to Write and Enforce Custom Authorization Policies blog post
• Policy-based access control in application development with Amazon Verified Permissions blog post
• Custom Authorization Policy Providers using IAuthorizationPolicyProvider in ASP.NET Core

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.