New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authorization policies #18

Closed
seniorquico opened this Issue Dec 21, 2018 · 2 comments

Comments

Projects
None yet
2 participants
@seniorquico
Copy link

seniorquico commented Dec 21, 2018

A question... Is it possible to make use of ASP.NET Core authorization policies to restrict an SSE endpoint to authenticated users? I'm struggling to figure out how this could be configured.

@tpeczek tpeczek added the Question label Dec 22, 2018

@tpeczek

This comment has been minimized.

Copy link
Owner

tpeczek commented Dec 22, 2018

This falls under general problem of using authorization policies with middleware (for example if you would want to limit access to some static resources). ASP.NET Core provides direct authorization access only for MVC (AuthorizeAttribute), if you want to protect middleware you need your own code which utilizes IAuthorizationService (similar to view-based authorization). One way to do that is creating another reusable middleware which can validate a policy.

internal class AuthorizationPolicyMiddleware
{
	private readonly RequestDelegate _next;
	private readonly string _policyName;

	public AuthorizationPolicyMiddleware(RequestDelegate next, string policyName)
	{
		_next = next;
		_policyName = policyName;
	}

	public async Task Invoke(HttpContext httpContext, IAuthorizationService authorizationService)
	{
		AuthorizationResult authorizationResult = await authorizationService.AuthorizeAsync(httpContext.User, null, _policyName);
		if (!authorizationResult.Succeeded)
		{
			await httpContext.ChallengeAsync();
			return;
		}

		await _next(httpContext);
	}
}

internal static class AuthorizationApplicationBuilderExtensions
{
	public static IApplicationBuilder UseAuthorizationPolicy(this IApplicationBuilder app, string policyName)
	{
		if (app == null)
		{
			throw new ArgumentNullException(nameof(app));
		}

		if (String.IsNullOrWhiteSpace(policyName))
		{
			throw new ArgumentNullException(nameof(policyName));
		}

		return app.UseMiddleware<AuthorizationPolicyMiddleware>(policyName);
	}
}

With such middleware you can branch the pipeline with Map and place it before the SSE middleware.

public class Startup
{
    ...

    public void Configure(IApplicationBuilder app, IHostingEnvironment env, IServiceProvider serviceProvider)
    {
        ...

        app..UseAuthentication();

        …

        app.Map("/sse-notifications-authorized", branchedApp =>
        {
            branchedApp.UseAuthorizationPolicy("PolicyName");
            branchedApp.UseServerSentEvents<NotificationsServerSentEventsService>();
        });

        ...
    }
}

If you want to validate multiple policies you just need to call UseAuthorizationPolicy multiple times.

I think I should add this sample to documentation...

@tpeczek tpeczek added the Task label Dec 22, 2018

@tpeczek tpeczek self-assigned this Dec 22, 2018

@tpeczek

This comment has been minimized.

Copy link
Owner

tpeczek commented Jan 5, 2019

After some thinking I've decided to add authorization support directly, so no additional middleware is necessary. It will look like this:

public class Startup
{
    ...

    public void Configure(IApplicationBuilder app)
    {
        ...

        app.MapServerSentEvents("/default-sse-endpoint", new ServerSentEventsOptions
        {
            Authorization = new ServerSentEventsAuthorization
            {
                Policy = "PolicyName"
            }
        });

        ...
    }
}

It will support same settings as AuthorizeAttribute.

@tpeczek tpeczek added Enhancement Medium and removed Task labels Jan 5, 2019

@tpeczek tpeczek added this to the v3.1.0 milestone Jan 5, 2019

@tpeczek tpeczek removed the Question label Jan 6, 2019

tpeczek added a commit that referenced this issue Jan 6, 2019

tpeczek added a commit that referenced this issue Jan 8, 2019

@tpeczek tpeczek closed this Jan 8, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment