AuthZ: Add IAuthorizationRequirementData

[HaoK]

Background and Motivation

We want to make it easier to attribute endpoints to add additional requirements for authorization. This interface will help by letting metadata or custom attributes specify requirements which will automatically get combined with other existing authorization mechanisms. Note the presence of IAuthorizationRequirementData metadata will be treated similar to IAuthorizeData, meaning its considered opting in for authorization (but it does not automatically bring in the default policy, see examples)

Proposed API

namespace Microsoft.AspNetCore.Authorization;

+ public interface IAuthorizationRequirementData
{
+    IEnumerable<IAuthorizationRequirement> GetRequirements();
}

Usage Examples

Example 1: Derive from Authorize attribute without specifying a policy to customize the default policy by adding arbitrary requirements, i.e.

internal class MinimumAgeAuthorizeAttribute : AuthorizeAttribute, IAuthorizationRequirementData
{
    public MinimumAgeAuthorizeAttribute(int age) => Age = age;

    public int Age { get; }

    IEnumerable<IAuthorizationRequirement> GetRequirements() => new[] { 
        new MinimumAgeRequirement(Age)
    };
}
    
    [MinimumAgeAuthorize(21)]
    public void NoKidsControllerMethod { ... }

Example 2: Fully specify the requirements without interacting with default policy (no authorize attribute), i.e. only allow authorization on Tuesdays

internal class OnlyTuesdayAttribute : Attribute, IAuthorizationRequirementData
{
    IEnumerable<IAuthorizationRequirement> GetRequirements() => new[] { 
        new OnlyTuesdayRequirement()
    };
}
    
    [OnlyTuesday]
    public void TacoTuesdayMethod { ... }

Alternative Designs

Decided against allowing specification of a fully policy to minimize the complexity of how it combines with existing methods of producing policies, as its trivial to combine additional requirements (always safe to combine)

Risks

New way to opt into authorization where before only [Authorize]/IAuthorizeData was used to require authorization.

[ghost]

Thank you for submitting this for API review. This will be reviewed by @dotnet/aspnet-api-review at the next meeting of the ASP.NET Core API Review group. Please ensure you take a look at the API review process documentation and ensure that:

• The PR contains changes to the reference-assembly that describe the API change. Or, you have included a snippet of reference-assembly-style code that illustrates the API change.
• The PR describes the impact to users, both positive (useful new APIs) and negative (breaking changes).
• Someone is assigned to "champion" this change in the meeting, and they understand the impact and design of the change.

[HaoK]

PR: #44342

[HaoK]

@dotnet/aspnet-api-review this is ready for review

[halter73]

API Review Notes:

1. The motivation is that writing code to add new auth requirements to an endpoint (e.g. min age) requires writing a lot of code today in many classes.
2. Discussed how the IAuthorizationRequirement marker interface works. All existing logic.
3. Are we okay with logic in attributes? Yes. It's super convenient.
4. Method vs property. We fee that a method better matches expectations. We don't know much about what the implementation could be. It's probably usually cached by our built-in policy providers, so we don't really require this is inexpensive.

API Approved!

namespace Microsoft.AspNetCore.Authorization;

+ public interface IAuthorizationRequirementData
+ {
+    IEnumerable<IAuthorizationRequirement> GetRequirements();
+ }