Use ASP.NET Core Identity only for authorization?

Keith · September 25, 2024, 3:36pm

I run my enterprise applications on IIS, so I benefit from Windows authentication. Using ServiceStack Auth it works great, because only authenticated users reach my applications and applications only need to determine the authorization with assigned user’s roles from a database table.

Following the ServiceStack recommendations, I am trying to migrate my applications to use ASP.NET Core Identity, However, I need to use ASP.NET Core Identity ONLY for determining the user’s roles. I am unable to find out how to do this, as authentication seems to be implicit (i.e. hardwired).

Any suggestions how to combine windows authentication with ASP.NET Core Identity authorization for ServiceStack 8.4 applications?

mythz · September 26, 2024, 1:53am

You would need to use ASP .NET Authentication APIs and libraries when configuring Windows Auth as ServiceStack no longer has control on how Auth is configured.

Googling around it looks like you’re able to configure Windows Auth users with Custom Roles using a custom IClaimsTransformation:

gist.github.com

https://gist.github.com/DamienBraillard/4dbd6aa2c56edf5a8e57c59b6e08da94

ISimpleRoleProvider.cs

using System.Collections.Generic;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authorization;

namespace DamienBraillard.AspNetCoreSimpleRoleAuthorization
{
    /// <summary>
    /// Defines the base functionality of the class used to provide applicative roles for a user when using the simple role
    /// authorization.
    /// </summary>

This file has been truncated. show original

Readme.md

# Asp .Net Core simple role authorization with Windows Authentication

## What's this all about ?
The idea is to use good old fashioned role based authorization with Windows Authentication.

The default behavior of WindowsAuthentication is to load the claims and roles from the windows authorization pipeline (AD, local rights, etc...). This results in the roles or claims to be based on the user groups.

If this behavior does not suit you and you would prefer loading the user roles from a custom storage (database, configuration file, etc...), continue on reading.

To make this happend, you need to implement a class that loads the roles for a user, enable windows authentication and register the role management services.

This file has been truncated. show original

SimpleRoleAuthorizationServiceCollectionExtensions.cs

using Microsoft.AspNetCore.Authentication;
using Microsoft.Extensions.DependencyInjection;

namespace DamienBraillard.AspNetCoreSimpleRoleAuthorization
{
    /// <summary>
    /// Provides the extension methods to enable and register the simple role authentication on an Asp.Net Core web site.
    /// </summary>
    public static class SimpleRoleAuthorizationServiceCollectionExtensions
    {

This file has been truncated. show original

There are more than three files. show original

I wouldn’t use Identity Auth tables for this as that’s designed to support EF Credential Identity Auth users, I’d just have a custom table with Windows Auth User and Role.