Tingle.AspNetCore.Authorization
5.0.0
dotnet add package Tingle.AspNetCore.Authorization --version 5.0.0
NuGet\Install-Package Tingle.AspNetCore.Authorization -Version 5.0.0
<PackageReference Include="Tingle.AspNetCore.Authorization" Version="5.0.0" />
paket add Tingle.AspNetCore.Authorization --version 5.0.0
#r "nuget: Tingle.AspNetCore.Authorization, 5.0.0"
// Install Tingle.AspNetCore.Authorization as a Cake Addin #addin nuget:?package=Tingle.AspNetCore.Authorization&version=5.0.0 // Install Tingle.AspNetCore.Authorization as a Cake Tool #tool nuget:?package=Tingle.AspNetCore.Authorization&version=5.0.0
Tingle.AspNetCore.Authorization
Authorization refers to the process that determines what a user is able to do. For example, an administrative user is allowed to create a document library, add documents, edit documents, and delete them. A non-administrative user working with the library is only authorized to read the documents.
Authorization is orthogonal and independent of authentication. However, authorization requires an authentication mechanism. Authentication is the process of ascertaining who a user is. Authentication may create one or more identities for the current user.
Below are some of the functionalities that the library provides to aid with authorization work flows.
IP Address Based Authorization
User Defined IPs
It is a common scenario whereby we may require to only allow HTTP requests from certain IPs.
In appsettings.json ...
{
"AllowedNetworks": [
"::1/128",
"127.0.0.1/32"
]
}
In Program.cs ...
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("my_auth_policy", policy =>
{
policy.AddAuthenticationSchemes("my_auth_scheme")
.RequireAuthenticatedUser()
.RequireApprovedNetworks(Configuration.GetSection("AllowedNetworks"));
});
});
// add accessor for HttpContext i.e. implementation of IHttpContextAccessor
builder.Services.AddHttpContextAccessor();
// add IAuthorizationHandler for approved networks
builder.Services.AddApprovedNetworksHandler();
Details of the implementation of my_auth_scheme
authentication scheme have been omitted here since it is beyond the scope of this discussion. More details on how to handle authentication in ASP.NET Core can be found here.
The above code section defines my_auth_policy
authorization policy which ensures the user who has been authenticated via the my_auth_scheme
has access to the resource they're trying to gain access to. Using RequireApprovedNetworks
extension method on the AuthorizationPolicyBuilder
we can then add a comma separated list of IP networks that are approved to access the resource from.
We also have added a call to the services.AddHttpContextAccessor()
extension method in order to allow us to gain access to the HttpContext
which contains the details of the IP address that the request is originating from.
Finally, we have a call to the services.AddApprovedNetworksHandler()
which adds an instance of the ApprovedIPNetworkHandler
. This authorization handler then makes a decision if authorization is allowed by checking if the request IP is among the networks provided in the authorization policy.
Now, we can use this functionality to authorize access to a controller as shown below:
[Authorize("my_auth_policy")]
public class DummyController : ControllerBase
{
...
}
Is that it?... Wait there's more!
Fully Qualified Domain Names
Alternatively, you can provide a list of fully qualified domain names and each of them will be resolved to the list of IP addresses. Let us see how to do this with an example:
In appsettings.json ...
{
"AllowedDomains": ["contoso.com", "northwind.com"]
}
In Program.cs ...
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("my_auth_policy", policy =>
{
policy.AddAuthenticationSchemes("my_auth_scheme")
.RequireAuthenticatedUser()
.RequireNetworkFromDns(Configuration.GetSection("AllowedDomains"));
});
});
// add accessor for HttpContext i.e. implementation of IHttpContextAccessor
builder.Services.AddHttpContextAccessor();
// add IAuthorizationHandler for approved networks
builder.Services.AddApprovedNetworksHandler();
Azure IPs
For developers who are working with Microsoft Azure, and they'd wish to allow all their IP addresses they can do that easily as demonstrated below:
In Program.cs
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("my_auth_policy", policy =>
{
policy.AddAuthenticationSchemes("my_auth_scheme")
.RequireAuthenticatedUser()
.RequireAzureIPNetworks();
});
});
// add accessor for HttpContext i.e. implementation of IHttpContextAccessor
builder.Services.AddHttpContextAccessor();
// add IAuthorizationHandler for approved networks
builder.Services.AddApprovedNetworksHandler();
If you however do not wish to allow the entire range of Azure IPs in a given cloud, you can provide service
and region
parameters to RequireAzureIPNetworks
to scope the range of IPs based on the Azure service and/or region. For example:
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("my_auth_policy", policy =>
{
policy.AddAuthenticationSchemes("my_auth_scheme")
.RequireAuthenticatedUser()
.RequireAzureIPNetworks(cloud: AzureCloud.Public, service: "AzureAppService", region: "westeurope");
});
});
// add accessor for HttpContext i.e. implementation of IHttpContextAccessor
builder.Services.AddHttpContextAccessor();
// add IAuthorizationHandler for approved networks
builder.Services.AddApprovedNetworksHandler();
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET | net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. net9.0 is compatible. |
-
net8.0
- AzureIPNetworks (>= 1.9.7)
-
net9.0
- AzureIPNetworks (>= 1.9.7)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.
Version | Downloads | Last updated |
---|---|---|
5.0.0 | 96 | 11/19/2024 |
4.14.1 | 168 | 10/14/2024 |
4.14.0 | 168 | 9/16/2024 |
4.13.0 | 262 | 8/13/2024 |
4.12.0 | 141 | 8/7/2024 |
4.11.2 | 168 | 7/15/2024 |
4.11.1 | 186 | 6/26/2024 |
4.11.0 | 183 | 6/6/2024 |
4.10.1 | 109 | 6/5/2024 |
4.10.0 | 135 | 5/27/2024 |
4.9.0 | 206 | 5/16/2024 |
4.8.0 | 230 | 5/5/2024 |
4.7.0 | 259 | 3/25/2024 |
4.6.0 | 205 | 3/8/2024 |
4.5.0 | 801 | 11/22/2023 |
4.4.1 | 181 | 11/20/2023 |
4.4.0 | 173 | 11/15/2023 |
4.3.0 | 294 | 10/18/2023 |
4.2.2 | 300 | 9/20/2023 |
4.2.1 | 507 | 8/4/2023 |
4.2.0 | 623 | 5/31/2023 |
4.1.1 | 176 | 5/26/2023 |
4.1.0 | 195 | 5/22/2023 |
4.0.0 | 727 | 3/14/2023 |
2.5.0 | 1,006 | 11/21/2022 |
2.4.2 | 2,051 | 7/25/2022 |
2.4.1 | 2,388 | 3/22/2022 |
2.4.0 | 2,002 | 11/10/2021 |
2.3.1 | 1,617 | 9/20/2021 |
2.3.0 | 944 | 7/22/2021 |