Introduction To Permission Authorization In ASP.NET Core 7 | Permission Authorization - Part 1

แชร์
ฝัง
  • เผยแพร่เมื่อ 7 ม.ค. 2025

ความคิดเห็น • 77

  • @MilanJovanovicTech
    @MilanJovanovicTech  2 ปีที่แล้ว +4

    Get the source code for this video for FREE → the-dotnet-weekly.ck.page/permissions1
    Want to master Clean Architecture? Go here: bit.ly/3PupkOJ
    Want to unlock Modular Monoliths? Go here: bit.ly/3SXlzSt

  • @LimitedWard
    @LimitedWard 2 ปีที่แล้ว +29

    One important security tip when implementing permission scopes like this: the default behavior for any endpoint should be to deny all requests if no permission scopes are specified. If you don't implement it this way, you could easily forget to restrict an important endpoint and inadvertently introduce vulnerabilities.

    • @MilanJovanovicTech
      @MilanJovanovicTech  2 ปีที่แล้ว +4

      That's a great point!

    • @Javier-uh7mb
      @Javier-uh7mb ปีที่แล้ว

      Good aproach, thk!

    • @ALOKSHARMAMD
      @ALOKSHARMAMD ปีที่แล้ว

      nice approach, you can decorate all access permissions as Permission.Public

  • @fernandocalmet
    @fernandocalmet 2 ปีที่แล้ว +6

    This is one of the series I've been waiting for the most. I enjoy and learn a lot with your content, thank you very much for sharing Milan.😃

  • @richardarielcruzcespedes9455
    @richardarielcruzcespedes9455 2 ปีที่แล้ว +3

    This is very useful, please keep going with this. I looking forward to seeing part 2

  • @cyrildouglas9262
    @cyrildouglas9262 2 ปีที่แล้ว +1

    Using enum is really a great choice for this scenario, kindly waiting for the part 2, thanks for the efforts you put into this.

    • @MilanJovanovicTech
      @MilanJovanovicTech  2 ปีที่แล้ว +1

      Glad you liked it Cyril, I'm excited about the next parts 😁

  • @recepciftci2642
    @recepciftci2642 2 ปีที่แล้ว +1

    Really excited about your future videos. Awesome work!

  • @MaxSupercars
    @MaxSupercars 2 ปีที่แล้ว +1

    Great vid! Looking forward for next parts! The authorization is the basic part of every enterprise web application. Thanx! 🙂

    • @MilanJovanovicTech
      @MilanJovanovicTech  2 ปีที่แล้ว

      The core implementation is coming next week 😁

  • @sauravbhatta5303
    @sauravbhatta5303 2 ปีที่แล้ว +3

    Keep coming homie!

  • @nove1398
    @nove1398 2 ปีที่แล้ว +1

    Awesome video! Keep them coming

  • @elpe21
    @elpe21 2 ปีที่แล้ว +1

    Great stuff, waiting for part 10 ;-)

  • @angelo.piletti
    @angelo.piletti ปีที่แล้ว +1

    Amazing series

  • @grumpydeveloper69
    @grumpydeveloper69 2 ปีที่แล้ว +3

    @Milan I must be missing something. After saying that Roles and Policies have to be hardcoded you implement HasPermission as a subclass of the same attribute, Authorize, and then call the constructor of that attribute with your permission value as Policy. So in fact we are still using the Authorize attribute with the policy parameter. How is this improving things? Or are you going to implement something different than calling the base constructor in part 2 ?

    • @MilanJovanovicTech
      @MilanJovanovicTech  2 ปีที่แล้ว +1

      The point is using an enum to specify the permission instead of a string. I'm not sure how you don't see that as an improvement in itself?

    • @grumpydeveloper69
      @grumpydeveloper69 2 ปีที่แล้ว

      @@MilanJovanovicTech I guess you are talking about what Jason Taylor showed how you can translate values back to their enum "values" although his method used binary values so when you have a serious amount of enums you would run into issues with those 2-power values right.... Anyway was just curious and am really interested in how you continue in part 2 and beyond. did not mean anything negative

    • @grumpydeveloper69
      @grumpydeveloper69 2 ปีที่แล้ว +2

      Also just saw this video about dynamic security th-cam.com/video/x7NxbZNboIc/w-d-xo.html which looked nice and flexible

  • @Nisa-Julie
    @Nisa-Julie 2 ปีที่แล้ว +1

    Every your videos is very usefull @Milan

  • @pureevil379
    @pureevil379 2 ปีที่แล้ว +1

    Fantastic video

  • @rahulbanerjee3947
    @rahulbanerjee3947 10 หลายเดือนก่อน +1

    Hi Milan Literally a new fan for your great explaining techniques.
    However can I request you for a video playlist of a project implementing clean architecture or DI pattern till deployment

    • @MilanJovanovicTech
      @MilanJovanovicTech  10 หลายเดือนก่อน

      I have a bunch of videos on Clean Architecture, and there should be a playlist called CA with DDD

  • @mdrahbarahmedkhan
    @mdrahbarahmedkhan ปีที่แล้ว +1

    Hi Milan,
    Thanks for the this series. It helped a lot.
    Now I am wondering, how to do Permission based Authorization while using Azure Ad

    • @MilanJovanovicTech
      @MilanJovanovicTech  ปีที่แล้ว +1

      1) Take care of the Permissions in your system
      2) Add them as Claims in AD

    • @mdrahbarahmedkhan
      @mdrahbarahmedkhan ปีที่แล้ว

      @@MilanJovanovicTech thank you for the help 😊

  • @mahdignb
    @mahdignb 2 ปีที่แล้ว +1

    Great stuff. I have one question and that is why you define the class as sealed in the controller and the HasPermission class either?

    • @MilanJovanovicTech
      @MilanJovanovicTech  2 ปีที่แล้ว

      I like to make it explicit that it can't be inherited

  • @vertikalniserklaz8694
    @vertikalniserklaz8694 26 วันที่ผ่านมา

    Nice video again. Do you have any video where you are passing back to UI JWT token expanded with additional values, e.g. tenant ID, user roles, etc? I've implemented ASP .NET Core Identity and don't have access to the controller as I'm using base one, given by framework, so wondering where and when to append these values after successfully getting through the login process.

    • @MilanJovanovicTech
      @MilanJovanovicTech  26 วันที่ผ่านมา +1

      You'd need to create a new ClaimsPrincipal and either convert it into a JWT or Cookie

  • @shakotkopavlo
    @shakotkopavlo 7 หลายเดือนก่อน

    Thanks for your videos

  • @sameerkanitkar
    @sameerkanitkar 5 หลายเดือนก่อน

    Hello Milan, How to update policy after the permission has been updated for any particular role. Like the user is already logged-In and if the admin updates his permission from backend how would I update user policy?

    • @MilanJovanovicTech
      @MilanJovanovicTech  5 หลายเดือนก่อน

      Short token expiration times, and force the user to relog

  • @javidibra6786
    @javidibra6786 11 หลายเดือนก่อน +1

    🤙🤙🤙amazing content

  • @liampillay5126
    @liampillay5126 ปีที่แล้ว +1

    Thank you 🎉🎉🎉

  • @abuzeralaca
    @abuzeralaca ปีที่แล้ว +1

    What is the starting point of this project? I would love to do this gatherly app.

  • @mcdaddy1334
    @mcdaddy1334 ปีที่แล้ว +1

    Smahed that liked button 💪

  • @amirkamolov9049
    @amirkamolov9049 2 ปีที่แล้ว +1

    Hello. I have a more complicated authorization problem. I need to implement resource-dependent authorization. For example, so that the user can access only those records to which he has access. Can you give me some advice ?

    • @MilanJovanovicTech
      @MilanJovanovicTech  2 ปีที่แล้ว +1

      You'll have to implement a custom solution, checking if the current user has access to the given resource. You can use the idea from Part 3 that was released today to implement an AuthorizationHandler, and then add the logic for resource authorization inside.

    • @amirkamolov9049
      @amirkamolov9049 2 ปีที่แล้ว

      @@MilanJovanovicTech, thank you for a great answer!

  • @Andrii.S16
    @Andrii.S16 9 หลายเดือนก่อน

    Could you please share a link to the related topic if it exists. Thank you in advance.

    • @MilanJovanovicTech
      @MilanJovanovicTech  9 หลายเดือนก่อน

      What do you mean? I wrote this recently: www.milanjovanovic.tech/blog/master-claims-transformation-for-flexible-aspnetcore-authorization

  • @krcarbo
    @krcarbo 7 หลายเดือนก่อน

    How does this work with minimal APIs please? Because we don't have an attribute if I'm not mistaken.

    • @MilanJovanovicTech
      @MilanJovanovicTech  7 หลายเดือนก่อน

      RequireAuthorization and pass in the permission name

    • @krcarbo
      @krcarbo 7 หลายเดือนก่อน

      I finally found it. Either we put the attribute in front of our RequestDelegate like [HasPermission("foo")] async (HttpContext context) => { }, or on our passed method like Delegate
      [HasPermission("foo")]
      private static async Task GetAllUsers()

  • @techpc5453
    @techpc5453 ปีที่แล้ว +1

  • @seanvogel8067
    @seanvogel8067 2 ปีที่แล้ว +2

    Hmmm. You could say nameof(policy)

  • @lasindadilshan7860
    @lasindadilshan7860 2 ปีที่แล้ว +1

    Great!

  • @silvertek
    @silvertek 2 ปีที่แล้ว +1

    Interested to see where this leads. Sort of reminds me of one of Jason Taylors old videos (th-cam.com/video/OW5wBERdhQU/w-d-xo.html) for flexible auth using a flags enum and some fun bit manipulation.

  • @alirezanet
    @alirezanet 2 ปีที่แล้ว +1

    How the comment spam detection works in this channel !? 🤷‍♂
    If you can check out your spam comments at least 😅😅🤦‍♂
    I tried to suggest something 20 different ways but I failed.

    • @MilanJovanovicTech
      @MilanJovanovicTech  2 ปีที่แล้ว +1

      I'm not sure :/ Who knows what you were trying to write 🤣 I leave it to TH-cam's AI to detect spam

    • @alirezanet
      @alirezanet 2 ปีที่แล้ว

      @@MilanJovanovicTech I don't know really 😅 but I'll send my suggestion to your Twitter

  • @hmsiegel79
    @hmsiegel79 2 ปีที่แล้ว

    Milan, I've found that running the program after implementing these changes throws an exception. I initially thought it was something that I had done, but after loading the source code from Patreon, I'm getting the same error. I was wondering if you ran into the same issue and if you know the fix. The exception is: System.AggregateException: 'Some services are not able to be constructed (Error while validating the service descriptor 'ServiceType: Microsoft.AspNetCore.Authorization.IAuthorizeData Lifetime: Scoped ImplementationType: Gatherly.Infrastructure.Authentication.HasPermissionAttribute': Unable to resolve service for type 'Gatherly.Infrastructure.Authentication.Permission' while attempting to activate 'Gatherly.Infrastructure.Authentication.HasPermissionAttribute'.)'

    • @MilanJovanovicTech
      @MilanJovanovicTech  2 ปีที่แล้ว

      Yup, you won't be able to run it until I release tomorrow's video 😅
      Apologies for that though, but it will be resolved soon!

    • @hmsiegel79
      @hmsiegel79 2 ปีที่แล้ว +1

      @@MilanJovanovicTech How do I get around the issue in the next video, Managing Permissions? I was running into similar issues when trying to add the EF migration.

    • @MilanJovanovicTech
      @MilanJovanovicTech  2 ปีที่แล้ว +1

      @@hmsiegel79 That's actually strange, I had no problems running the migration 🤔
      Simplest solution would be to just remove the HasPermissionAttribute on the endpoint, temporarily.

    • @hmsiegel79
      @hmsiegel79 2 ปีที่แล้ว

      @@MilanJovanovicTech So after further review, the issue with the migration is the error 'Unable to create an object of type 'ApplicationDbContext'. Which makes zero sense as that part of the project hasn't changed.