I am using ASP.NET Core 3.1 WebAPI with Auth0.
I wanted to implement a custom AuthorizeAttribute
that would perform simple permission checks and return 403 with a message if permissions are missing.
Here is the code:
Startup.cs
(ConfigureServices)
services
.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}
)
.AddJwtBearer(options =>
{
var keyResolver = new MultipleIssuerSigningKeyResolver();
options.MetadataAddress = "https://.../.well-known/openid-configuration";
options.TokenValidationParameters = new TokenValidationParameters
{
ValidAudience = Auth0Configuration.Audience,
ValidIssuers = Auth0Configuration.Issuers,
IssuerSigningKeyResolver = (token, securityToken, kid, parameters) =>
keyResolver.GetSigningKey(securityToken.Issuer, kid)
};
}
);
Custom AuthorizeAttribute
:
public class AuthorizeAttribute : Microsoft.AspNetCore.Authorization.AuthorizeAttribute, IAsyncAuthorizationFilter
{
private readonly string[] _permissions;
public AuthorizeAttribute(params string[] permissions)
{
_permissions = permissions;
}
/// <inheritdoc />
public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
{
var user = (IRemoteUser) context.HttpContext.RequestServices.GetService(typeof(IRemoteUser));
await user.Fetch(context.HttpContext);
context.HttpContext.Items["RemoteUser"] = user;
foreach (var permission in _permissions)
{
if (user.HasPermission(permission)) continue;
// Permission not found, return forbidden.
context.Result = new ForbidResult($"Permission '{permission}' is required.");
return;
}
}
}
I call it like this:
[Authorize("support:all")]
[HttpPost]
public async Task<ActionResult> Create([FromBody] SupportMessageCreateDto dto)
{...}
It works fine if I don't provide a message to new ForbidResult()
. I get 403 if permission is missing. But if I provide this message, I get:
{
"error": "No authentication handler is registered for the scheme 'Permission 'support:all' is required.'. The registered schemes are: Bearer. Did you forget to call AddAuthentication().Add[SomeAuthHandler](\"Permission 'support:all' is required.\",...)?"
}
Why is this happening and how can I solve it? I really like this setup as it is simple, but this message is required.
I made a mistake with Result type. ForbidResult actually expects authentication scheme as string in constructor. I replaced
context.Result = new ForbidResult($"Permission '{permission}' is required.");
with
context.Result = new ObjectResult($"Permission '{permission}' is required.")
{
StatusCode = (int) HttpStatusCode.Forbidden
};
and it works now.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.