ASP.NET Core Web API custom AuthorizeAttribute issue

Question

I am working on ASP.NET Core Web API. I am trying to create a custom Authorize attribute but I am stuck. I could not understand what I am missing. I have the following code for the Authorize attribute and filter:

public class AuthorizeAttribute : TypeFilterAttribute
{
    public AuthorizeAttribute(params string[] claim) : base(typeof(AuthorizeFilter))
    {
        Arguments = new object[] { claim };
    }
}

public class AuthorizeFilter : IAuthorizationFilter
{
    readonly string[] _claim;

    public AuthorizeFilter(params string[] claim)
    {
        _claim = claim;
    }

    public void OnAuthorization(AuthorizationFilterContext context)
    {
        var IsAuthenticated = context.HttpContext.User.Identity.IsAuthenticated;
        var claimsIndentity = context.HttpContext.User.Identity as ClaimsIdentity;

        if (IsAuthenticated)
        {
            bool flagClaim = false;
            foreach (var item in _claim)
            {
                if (context.HttpContext.User.HasClaim("Role", item))
                    flagClaim = true;
            }

            if (!flagClaim)
            {
                //if (context.HttpContext.Request.IsAjaxRequest())
                    context.HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; //Set HTTP 403 
                //else
                //    context.Result = new RedirectResult("~/Login/Index");
            }
        }
        else
        {
            //if (context.HttpContext.Request.IsAjaxRequest())
            //{
                context.HttpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized; //Set HTTP 401 -   
            //}
            //else
            //{
            //    context.Result = new RedirectResult("~/Login/Index");
            //}
        }
        return;
    }
}

I have copied this code from somewhere and commented unnecessary lines.

Here is my controller class where I am trying to put this:

[Route("api/[controller]/[action]")]
[ApiController]
[Authorize]
public class JobController : ControllerBase
{
    // GET: api/<JobController>
    [HttpGet]
    [ActionName("GetAll")]
    public List<Job> Get()
    {
        return JobDataLog.GetAllJobQueue();
    }

    // GET api/<JobController>/5
    [HttpGet("{ID}")]
    [ActionName("GetByID")]
    public Job Get(Guid ID)
    {
        return JobDataLog.GetJob(ID);
    }

    // GET api/<JobController>/5
    [HttpGet]
    [ActionName("GetCount")]
    public int GetCount()
    {
        return JobDataLog.GetJobTotal();
    }
}

Also the Configure and ConfigureService methods of Startup.cs

// This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            services.AddControllers();
            services.AddDistributedMemoryCache();
            services.AddSession(options =>
            {
                options.IdleTimeout = TimeSpan.FromMinutes(60);
            });

            var tokenKey = Configuration.GetValue<string>("TokenKey");
            var key = Encoding.ASCII.GetBytes(tokenKey);
            services.AddAuthentication(x => { x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; })
                .AddJwtBearer(x =>
            {
                x.RequireHttpsMetadata = false;
                x.SaveToken = true;
                x.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuerSigningKey = true,
                    IssuerSigningKey = new SymmetricSecurityKey(key),
                    ValidateIssuer = false,
                    ValidateAudience = false
                };
            });
            services.AddSingleton<IJWTAuthenticationManager>(new JWTAuthenticationManager(tokenKey));
        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }

            app.UseHttpsRedirection();

            app.UseRouting();

            app.UseCookiePolicy();
            app.UseSession();
            app.Use(async (context, next) =>
            {
                var JWToken = context.Session.GetString("JWToken");
                if (!string.IsNullOrEmpty(JWToken))
                {
                    context.Request.Headers.Add("Authorization", "Bearer " + JWToken);
                }
                await next();
            });

            app.UseAuthentication();
            app.UseAuthorization();

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllers();
            });
        }

The problem is that even this controller has the Authorize attribute, all the actions are being called even the Authorize filter invalidates the authorization.

Also when I placed the following code in the OnAuthorization method:

context.Result = new StatusCodeResult(StatusCodes.Status401Unauthorized);

It blocked the access of all actions, including those which have an AllowAnnoynmous attribute.

Please help me, I have been stuck on this for last 3 hours.

Answer 1

If you really want to use a custom AuthorizeAttribute , here you go, this works. :)

You'll have a few squiggly lines, but VS will be able to automatically add the using statements.

The original code had multiple problems:

1. Setting Reponse.StatusCode doesn't actually lead to a response being returned.
2. HttpContext.User wouldn't be populated in the first place, because ASP.NET Core only attempts to authenticate the user and populate the user's claims/identity if an endpoint is secured with the built-in AuthorizeAttribute . The following code solves this by deriving from AuthorizeAttribute .
3. In this case the additional filter factory class wasn't needed, since you're not injecting dependencies. Though, if you had to inject, you'd be out of luck I think, because you couldn't derive both from TypeFilterAttribute and AuthorizeAttribute , and the claims list would be always empty.

Working code

public class MyAuthorizeAttribute : AuthorizeAttribute, IAuthorizationFilter
{
    readonly string[] _requiredClaims;

    public MyAuthorizeAttribute(params string[] claims)
    {
        _requiredClaims = claims;
    }

    public void OnAuthorization(AuthorizationFilterContext context)
    {
        var isAuthenticated = context.HttpContext.User.Identity.IsAuthenticated;
        if (!isAuthenticated)
        {
            context.Result = new UnauthorizedResult();
            return;
        }

        var hasAllRequredClaims = _requiredClaims.All(claim => context.HttpContext.User.HasClaim(x => x.Type == claim));
        if (!hasAllRequredClaims)
        {
            context.Result = new ForbidResult();
            return;
        }
    }
}

You should probably use policies instead

The reason why this works in such a crappy way is that the ASP.NET Core team doesn't want you to write custom Authorize Attributes . See this answer on the subject . The 'proper' way is to create policies, and assign your claim requirements to those policies. But I also think it's silly that authorization is so inflexible and lacking support for basic scenarios.