Implementing A Custom Authorization Handler In ASP.NET Core | Permission Authorization - Part 3

Hi Milan, just followed your video series through and your explanation of the various classes required to implement a full featured custom authorization are superb and have saved me endless hours I'm sure! I wanted my permission model to be split into two elements e.g. Users with Author, Contributer and Viewer levels. To achieve this I have just concatenated the Permission and Level enums to create my policy name within the HasPermissionAttribute and then I deconstruct them in the policy provider to allow the correct creation of my permission requirement, do you think this sensible?

Hey Milan Thks for this awesome content !!
I've my web api project with 41 controllers and several api methods (haven't count em all yet), and I'm defining permissions for each endpoint using a smart enum 'Permission', but it's begining to look quite long class, any suggestion?

Every time I come to watch your video for a specific topic, I learn tons of other topics too.
Can you please make some videos about unit test and integration tests which are on a real project. Because I watched lots of videos about it, but still, I am stuck.

Thanks for that and stay awesome. 😊😊

I just wanted to thank you for everything that you are doing, your content is awesome and it helped me a lot. I think you deserve way more subscribers than you have :)
p.s. good luck, loocking forward to video course series

Hi Milan,
I implemented permission based authorization in .NET 5 with the support of your video. But I got stuck at some point. Here is my problem.
- When I'm trying to access logged in user's userId (by context.User.Claims) from the context in PermissionAuthorizationHandler class it's always null. I almost wasted 5-6 days to figure this out. But I couldn't able to find where is the issue. Do you have any idea about this type of issue?

Great post Milan. In the past when I first time implemented permissions based RBAC I spent so much time to get content that gathered here in several videos.

One thing I noticed that might be improved in your example. In AuthorizationPolicyProvider you getting policy and if it's not null you creating it. To avoid creation of the policies all the time I'd suggest to take IOptions<AuthorizationOptions> options from constructor to local variable and then slightly modify GetPolicyAsync to:

if (policy == null)
{
if (Enum.TryParse<PermissionId>(policyName, out var permissionId))
{
policy = new AuthorizationPolicyBuilder()
.AddRequirements(new PermissionRequirement(permissionId))
.Build();

// Add policy to the AuthorizationOptions, so we don't have to re-create it each time
options.Value.AddPolicy(policyName, policy);
}

I wish the source code was provided.

"You know the drill"

Milan everything is good but you are speaking in a very flat tone means you need to highlight and pause at main points otherwise its hard to figure out whats the critical portion or real logic to remember, skip saying very common things like i am giving it as argument blah blah.. very much we can see it anyway, I request you first elaborate on drawing board whats the overall design and flow, I could not sync with your talk and video at the same time..

Hi Milan, thanks for this awesome series! However i face the error in GetPermissionsAsync too, while accessing GetMemberById endpoint. The error is from _dbContext.Set<Member>().Include(x->x.Roles).ThenInclude(x->x.Permissions)..... Error was 'Invalid column names RolesId)

Great video, Milan I looked for video like this in past 6 months... Thank you

Hi, Milan! Thanks for the video series, they help me to progress on my pet project
I've got a question: Why are AuthorizationHandlers defined in the Infrastructure project, and not in the Application project for instance? What's the logic behind that?

What about restrictions on owned content? Meaning, you can only successfully fetch your own member data. I am assuming ReadMember will allow me to fetch any members data. Using a guid and the only security measure is not sufficient.

I don't know if it is the way I have set it up, but I was getting an error when implementing the `GetPermissionAsync` method as defined here. What worked for me was to change the `.Select(x => x.Roles)` on the member context to `.SelectMany(x => x.Roles)` and then on the roles variable, remove the first `.SelectMany(x => x)`.

Hi Milan, why did you decide to register the authorization handler as singleton? I was browsing through the aspnetcore source code and as far as I can tell, they register it as transient. By the way, thank you for your videos!

In my PermissionAuthorizationHandler, the `context.User.Claims` is always empty. I know I have missed something obvious, but I have been though the video several times and I cannot figure it out. Any idea what my issue may be?

Hi Milan, Why do we need IServiceScopeFactory? Why can't we directly inject IPermissionService through constructor injection??

Hi Milan, thank you for the amazing tutorial! Very well explained, easy to digest and understand. I have a small suggestion though. If you want to avoid creating the policy every single time, perhaps you should add it to the AuthorizationOptions. You can do this by creating a new property:
private readonly AuthorizationOptions options;
Assign value to this.options in the constructor:
this.options = options.Value;
And modify the return a bit in that way:

policy = new AuthorizationPolicyBuilder(Auth0BearerTokenConstants.AuthenticationScheme)
.AddRequirements(new PermissionRequirement(policyName))
.Build();

// Add policy to the AuthorizationOptions, so we don't have to re-create it each time.
this.options.AddPolicy(policyName, policy);

return policy;

Let me know what is your opinion about it :)

Thanks again for the astonishing tutorial!

Kinds regards/Martin