Get the source code for this video for FREE → the-dotnet-weekly.ck.page/permissions1 Want to master Clean Architecture? Go here: bit.ly/3PupkOJ Want to unlock Modular Monoliths? Go here: bit.ly/3SXlzSt
One important security tip when implementing permission scopes like this: the default behavior for any endpoint should be to deny all requests if no permission scopes are specified. If you don't implement it this way, you could easily forget to restrict an important endpoint and inadvertently introduce vulnerabilities.
@Milan I must be missing something. After saying that Roles and Policies have to be hardcoded you implement HasPermission as a subclass of the same attribute, Authorize, and then call the constructor of that attribute with your permission value as Policy. So in fact we are still using the Authorize attribute with the policy parameter. How is this improving things? Or are you going to implement something different than calling the base constructor in part 2 ?
@@MilanJovanovicTech I guess you are talking about what Jason Taylor showed how you can translate values back to their enum "values" although his method used binary values so when you have a serious amount of enums you would run into issues with those 2-power values right.... Anyway was just curious and am really interested in how you continue in part 2 and beyond. did not mean anything negative
Hi Milan Literally a new fan for your great explaining techniques. However can I request you for a video playlist of a project implementing clean architecture or DI pattern till deployment
Nice video again. Do you have any video where you are passing back to UI JWT token expanded with additional values, e.g. tenant ID, user roles, etc? I've implemented ASP .NET Core Identity and don't have access to the controller as I'm using base one, given by framework, so wondering where and when to append these values after successfully getting through the login process.
Hello Milan, How to update policy after the permission has been updated for any particular role. Like the user is already logged-In and if the admin updates his permission from backend how would I update user policy?
Hello. I have a more complicated authorization problem. I need to implement resource-dependent authorization. For example, so that the user can access only those records to which he has access. Can you give me some advice ?
You'll have to implement a custom solution, checking if the current user has access to the given resource. You can use the idea from Part 3 that was released today to implement an AuthorizationHandler, and then add the logic for resource authorization inside.
I finally found it. Either we put the attribute in front of our RequestDelegate like [HasPermission("foo")] async (HttpContext context) => { }, or on our passed method like Delegate [HasPermission("foo")] private static async Task GetAllUsers()
Interested to see where this leads. Sort of reminds me of one of Jason Taylors old videos (th-cam.com/video/OW5wBERdhQU/w-d-xo.html) for flexible auth using a flags enum and some fun bit manipulation.
How the comment spam detection works in this channel !? 🤷♂ If you can check out your spam comments at least 😅😅🤦♂ I tried to suggest something 20 different ways but I failed.
Milan, I've found that running the program after implementing these changes throws an exception. I initially thought it was something that I had done, but after loading the source code from Patreon, I'm getting the same error. I was wondering if you ran into the same issue and if you know the fix. The exception is: System.AggregateException: 'Some services are not able to be constructed (Error while validating the service descriptor 'ServiceType: Microsoft.AspNetCore.Authorization.IAuthorizeData Lifetime: Scoped ImplementationType: Gatherly.Infrastructure.Authentication.HasPermissionAttribute': Unable to resolve service for type 'Gatherly.Infrastructure.Authentication.Permission' while attempting to activate 'Gatherly.Infrastructure.Authentication.HasPermissionAttribute'.)'
@@MilanJovanovicTech How do I get around the issue in the next video, Managing Permissions? I was running into similar issues when trying to add the EF migration.
@@hmsiegel79 That's actually strange, I had no problems running the migration 🤔 Simplest solution would be to just remove the HasPermissionAttribute on the endpoint, temporarily.
@@MilanJovanovicTech So after further review, the issue with the migration is the error 'Unable to create an object of type 'ApplicationDbContext'. Which makes zero sense as that part of the project hasn't changed.
Get the source code for this video for FREE → the-dotnet-weekly.ck.page/permissions1
Want to master Clean Architecture? Go here: bit.ly/3PupkOJ
Want to unlock Modular Monoliths? Go here: bit.ly/3SXlzSt
One important security tip when implementing permission scopes like this: the default behavior for any endpoint should be to deny all requests if no permission scopes are specified. If you don't implement it this way, you could easily forget to restrict an important endpoint and inadvertently introduce vulnerabilities.
That's a great point!
Good aproach, thk!
nice approach, you can decorate all access permissions as Permission.Public
This is one of the series I've been waiting for the most. I enjoy and learn a lot with your content, thank you very much for sharing Milan.😃
You're more than welcome Fernando 😁
This is very useful, please keep going with this. I looking forward to seeing part 2
Coming next week! 😁
Using enum is really a great choice for this scenario, kindly waiting for the part 2, thanks for the efforts you put into this.
Glad you liked it Cyril, I'm excited about the next parts 😁
Really excited about your future videos. Awesome work!
Thank you!
Great vid! Looking forward for next parts! The authorization is the basic part of every enterprise web application. Thanx! 🙂
The core implementation is coming next week 😁
Keep coming homie!
You know I deliver 📩📩📩
Awesome video! Keep them coming
Thanks a lot!
Great stuff, waiting for part 10 ;-)
Thanks! This should've been 01 then 🤣
Amazing series
Thanks a lot!
@Milan I must be missing something. After saying that Roles and Policies have to be hardcoded you implement HasPermission as a subclass of the same attribute, Authorize, and then call the constructor of that attribute with your permission value as Policy. So in fact we are still using the Authorize attribute with the policy parameter. How is this improving things? Or are you going to implement something different than calling the base constructor in part 2 ?
The point is using an enum to specify the permission instead of a string. I'm not sure how you don't see that as an improvement in itself?
@@MilanJovanovicTech I guess you are talking about what Jason Taylor showed how you can translate values back to their enum "values" although his method used binary values so when you have a serious amount of enums you would run into issues with those 2-power values right.... Anyway was just curious and am really interested in how you continue in part 2 and beyond. did not mean anything negative
Also just saw this video about dynamic security th-cam.com/video/x7NxbZNboIc/w-d-xo.html which looked nice and flexible
Every your videos is very usefull @Milan
Thank you!
Fantastic video
Thanks! 😃
Hi Milan Literally a new fan for your great explaining techniques.
However can I request you for a video playlist of a project implementing clean architecture or DI pattern till deployment
I have a bunch of videos on Clean Architecture, and there should be a playlist called CA with DDD
Hi Milan,
Thanks for the this series. It helped a lot.
Now I am wondering, how to do Permission based Authorization while using Azure Ad
1) Take care of the Permissions in your system
2) Add them as Claims in AD
@@MilanJovanovicTech thank you for the help 😊
Great stuff. I have one question and that is why you define the class as sealed in the controller and the HasPermission class either?
I like to make it explicit that it can't be inherited
Nice video again. Do you have any video where you are passing back to UI JWT token expanded with additional values, e.g. tenant ID, user roles, etc? I've implemented ASP .NET Core Identity and don't have access to the controller as I'm using base one, given by framework, so wondering where and when to append these values after successfully getting through the login process.
You'd need to create a new ClaimsPrincipal and either convert it into a JWT or Cookie
Thanks for your videos
My pleasure
Hello Milan, How to update policy after the permission has been updated for any particular role. Like the user is already logged-In and if the admin updates his permission from backend how would I update user policy?
Short token expiration times, and force the user to relog
🤙🤙🤙amazing content
Thanks a lot! :)
Thank you 🎉🎉🎉
You're welcome
What is the starting point of this project? I would love to do this gatherly app.
Sadly there isn't one starting from 0
Smahed that liked button 💪
Thanks a lot 😁
Hello. I have a more complicated authorization problem. I need to implement resource-dependent authorization. For example, so that the user can access only those records to which he has access. Can you give me some advice ?
You'll have to implement a custom solution, checking if the current user has access to the given resource. You can use the idea from Part 3 that was released today to implement an AuthorizationHandler, and then add the logic for resource authorization inside.
@@MilanJovanovicTech, thank you for a great answer!
Could you please share a link to the related topic if it exists. Thank you in advance.
What do you mean? I wrote this recently: www.milanjovanovic.tech/blog/master-claims-transformation-for-flexible-aspnetcore-authorization
How does this work with minimal APIs please? Because we don't have an attribute if I'm not mistaken.
RequireAuthorization and pass in the permission name
I finally found it. Either we put the attribute in front of our RequestDelegate like [HasPermission("foo")] async (HttpContext context) => { }, or on our passed method like Delegate
[HasPermission("foo")]
private static async Task GetAllUsers()
👋
Hmmm. You could say nameof(policy)
Wondered the same while watching...
At what point? 🤔
Great!
Thanks!
Interested to see where this leads. Sort of reminds me of one of Jason Taylors old videos (th-cam.com/video/OW5wBERdhQU/w-d-xo.html) for flexible auth using a flags enum and some fun bit manipulation.
Something similar, yes
How the comment spam detection works in this channel !? 🤷♂
If you can check out your spam comments at least 😅😅🤦♂
I tried to suggest something 20 different ways but I failed.
I'm not sure :/ Who knows what you were trying to write 🤣 I leave it to TH-cam's AI to detect spam
@@MilanJovanovicTech I don't know really 😅 but I'll send my suggestion to your Twitter
Milan, I've found that running the program after implementing these changes throws an exception. I initially thought it was something that I had done, but after loading the source code from Patreon, I'm getting the same error. I was wondering if you ran into the same issue and if you know the fix. The exception is: System.AggregateException: 'Some services are not able to be constructed (Error while validating the service descriptor 'ServiceType: Microsoft.AspNetCore.Authorization.IAuthorizeData Lifetime: Scoped ImplementationType: Gatherly.Infrastructure.Authentication.HasPermissionAttribute': Unable to resolve service for type 'Gatherly.Infrastructure.Authentication.Permission' while attempting to activate 'Gatherly.Infrastructure.Authentication.HasPermissionAttribute'.)'
Yup, you won't be able to run it until I release tomorrow's video 😅
Apologies for that though, but it will be resolved soon!
@@MilanJovanovicTech How do I get around the issue in the next video, Managing Permissions? I was running into similar issues when trying to add the EF migration.
@@hmsiegel79 That's actually strange, I had no problems running the migration 🤔
Simplest solution would be to just remove the HasPermissionAttribute on the endpoint, temporarily.
@@MilanJovanovicTech So after further review, the issue with the migration is the error 'Unable to create an object of type 'ApplicationDbContext'. Which makes zero sense as that part of the project hasn't changed.