RSS

Tag Archives: authorization

Claims-Based Authorization in ASP.Net MVC and Web Api

Normally, I would re-write a blog post in hope to provide better explanation and concise the article, but since this is from Dominick Baier, I think he does it the best.

So, here’s it, how to apply claims based authorization in ASP.Net MVC and Web Api:

http://leastprivilege.com/2012/10/26/using-claims-based-authorization-in-mvc-and-web-api/

 
Leave a comment

Posted by on May 28, 2015 in General

 

Tags: , , , , ,

Unit Testing WIF’s ClaimsPrincipalPermission.CheckAccess

WIF 4.5 has ClaimsPrincipalPermission.CheckAccess method, very useful to check user’s authorization. You can use this as method call or attribute.

// Imperative method call
using System.IdentityModel.Services;
public ActionResult Index()
{
    ClaimsPrincipalPermission.CheckAccess("foo", "bar");

    return View();
}

// Attribute
[ClaimsPrincipalPermission(SecurityAction.Demand, Operation="foo", Resource="bar")]
public ActionResult ViewFoobar()
{
    return View();
}

Either way, how do we unit test this? My approach is to first abstract out ClaimsPrincipalPermission and create a new wrapper class that will be injected to the dependent class.

Abstract Out

using System.IdentityModel.Services;

public class ClaimsPrincipalWrapper : IClaimsPrincipalWrapper
{
    public void CheckAccess(string resource, string action)
    {
        ClaimsPrincipalPermission.CheckAccess(resource, action);
    }
}

Dependency Injection

using System.IdentityModel.Services;

public class HomeController : Controller
{
    private readonly IClaimsPrincipalWrapper _ClaimsPrincipalWrapper;

    public HomeController(IClaimsPrincipalWrapper claimsPrincipalWrapper)
    {
        _ClaimsPrincipalWrapper = claimsPrincipalWrapper;
    }

    public ActionResult Index()
    {
        _ClaimsPrincipalWrapper.CheckAccess("foo", "bar");

        return View();
    }
}

Unit Test

[TestMethod]
public void TestIndex()
{
    // Arrange
    var _claimsPrincipal = new Mock<IClaimsPrincipalWrapper>();
    _claimsPrincipal.Setup(m => m.CheckAccess(It.IsAny<string>, It.IsAny<string>));
    var _controller = new HomeController(_claimsPrincipalMock.Object);

    // Act
    var _result = _controller.Index() as ViewResult;

    // Assert
    Assert.IsTrue(_result.View != null);
}
 
Leave a comment

Posted by on May 4, 2015 in General

 

Tags: , , , , , , ,

OAuth2 Flows

Cliff notes from Dominick Baier’s OAuth2 Flows.

Authorization Code Flow

oauth2-flows-1

Characters: web application (server-based) clients, confidential and secured client where nobody can see user credential, human involves, consent screen, authorization happens in authorization server.

Apply to: web applications

Steps:

  1. Request authorization.
  2. Request token.
  3. Access resource.

Implicit Flow

oauth2-flows-2

Characters: native / local clients, user-agent based clients, human involves, consent screen, authorization happens in authorization servers.

Apply to: third party native applications (JavaScript application is included).

Steps:

  1. Request authorization & token.
  2. Access resource.

Resource Owner Credential Flow

oauth2-flows-3

Characters: trusted clients, no human involvement, no consent screen, authorization happens in client.

Apply to: official native applications (JavaScript application included).

Steps:

  1. Request token with resource owner credentials.
  2. Access resource.

Client Credential Flow

oauth2-flows-4

Characters: client to Service communication, no human involvement, no consent screen, authorization happens in client.

Apply to: machine to machine communication, service communication to authorization server without act as.

Steps:

  1. Request token with client credentials.
  2. Access resource.

Assertion Flow

oauth2-flows-5

Characters: use one of the ‘core’ flows, access another trusted system (partner).

Apply to: translate between identity management system (ADFS’s saml to ThinkTecture’s jwt), communication with partner’s resources using client’s credential.

Steps:

  1. Request token using ‘core’ flow (Authorization Code, Implicit, Resource Owner Credential, Client Credential).
  2. Request token using ‘assertion’ flow.
  3. Use token.
 
Leave a comment

Posted by on September 24, 2014 in General

 

Tags: , , , , , ,

 
%d bloggers like this: