Access to a resource based on permissions using JWT in .NET Core 2.0

Question

I have an API using .NET Core 2.0. I already have JWT working with roles but I want to move to use it with permissions. I have a defined list of permissions and the idea is to create dynamic roles based on that permissions.

Because roles are dynamic I can't use role-based authentication, so I need to authenticate a user based on permissions.

Suppose you have a static list of permissions. For example:

• Create post
• Edit post
• View all posts
• View my posts

Now let's say I have roles:

public class Role
{
    public int Id { get; set; }
    public string Name { get; set; }
    public List<RolePermission> Permissions { get; set; }
    public bool Status { get; set; }
}

You can create a dynamic role and select a list of permissions from given static example list.

Now I want to create a Role called "Administrator" with this permissions:

• Create post
• Edit post
• View all posts

My idea is to have a JWT like this:

JWT Example:

{
  "iat": 1416929061,
  "jti": "802057ff9b5b4eb7fbb8856b6eb2cc5b",
  "role": "Administrator",
  "permissions": {
    "posts": {
      "actions": ["readall", "create", "edit"]
    }
  }
}

Now I just want to check for permissions in order to access a resource in the API.

The only solution is to create policies for every permission? How can I achieve this?

Answer 1

Based on your current question, I believe what you require is to setup an API in the Auth0 Dashboard - see docs here . You can then define default scopes to the API as you wish.

In order to influence the scopes that actually get applied for a given user authentication according to the Role to which they belong, you could define a Rule in Auth0 Dashboard. Here is a really simple example:

function (user, context, callback) {

  user.app_metadata = user.app_metadata || {};

   if (user.app_metadata.role === "Administrator") {
     context.accessToken.scope = 'openid read:posts create:posts edit:posts';
   } else if (user.app_metadata.role === "User") {
      // define likewise as needed..
   }

   callback(null, user, context);
}

Whether the role statically applied to the user profile, or dynamically looked up etc, is less clear and will depend on your requirements. But if you set this up, you should receive an JWT access token with a payload containing something like the following (for the situation where the user authenticating had Administrator role.

You can then secure your .NET Core API to verify the access token accordingly. If you are not using an API, then theoretically you "could" use the ID Token instead... (as the application itself is the consumer). But I have based the above on the understanding you wish to authorize a request against some API...?