[Authorization] Consider base class to make building custom policies/requirements easier #575
Description
The authorization system is quite nice, but complex given the type checking for authorization handlers and authorization requirements. When building custom authorization handler/requirement logic, it's a tad complex/confusing to be required to build a class such as this:
public class ClaimsAuthorizationRequirement :
AuthorizationHandler<ClaimsAuthorizationRequirement>, IAuthorizationRequirement
I'd like to see a easy base class to encapsulate this policy based approach in some way (with the assumption this class can fully implement the authorization logic based upon the incoming user's claims without needing to look at something external and this doesn't need anything from DI). Something like:
abstract public class AuthorizationRequirement
{
abstract public void Handle(AuthorizationContext context);
// not sure if these helpers would be needed -- looking for
// a way to not have to pass the IAuthorizationRequirement instance to Succeeded
protected void Succeed(){}
protected void Failed(){}
}
And then perhaps an implementation:
public class SeniorSalesRequirement : AuthorizationRequirement
{
protected override void Handle(Microsoft.AspNet.Authorization.AuthorizationContext context)
{
if (context.User.HasClaim("role", "Exec") ||
context.User.HasClaim("role", "SeniorSales"))
{
base.Succeed(context);
}
}
}
Perhaps this approach would need another pre-registered authorization handler (like the PassThroughAuthorizationHandler) that knows how to handle the AuthorizationRequirement-dervied requirements.
Just throwing out ideas to try to simplify and polish the API for doing policy based authorization.