If you haven't already, I would recommend checking out the role claims Github sample for .NET Core, which goes over the best practices and implementation. https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/5-WebApp-AuthZ/5-1-Roles
Microsoft Identity - Seeking best practices/recommendations for roles, claims, and policies in ASP netcore web api
I am new to Microsoft Identity Platform and want to get an idea of best practices and guidelines on Roles, Claims, and Policies. I have watched the videos from Matthijs Hoekstra (MSFT Microsoft Identity Platform Team) and the 'ASP.NET Core Authorization with Barry Dorrans'.
Our OData Web Api has 150+ controllers and most controller actions are CRUD (GET, POST, PATCH, and DELETE). We currently have 20 client apps that access our system. Currently our custom AuthZ logic handles 500+ claims and maps claims to roles via below snippet.
foreach (var role in roles) {
identity.AddClaim(new Claim("http://schemas.microsoft.com/ws/2008/06/identity/claims/role", role));
Our controller actions look something like this...
[Authorize(Roles = "AccountGet")]
public async Task<IActionResult> Get() {}
[Authorize(Roles = "AccountPost")]
public async Task<IActionResult> Post([FromBody] Account account) {}
[Authorize(Roles = "AccountPatch")]
public async Task<IActionResult> Patch([FromRoute] int id, [FromBody] Delta<Account> account){}
How should we setup Roles/Claims/Policies using Microsoft Identity Platform in such a way that the current authorization capability still works?
1 answer
Sort by: Most helpful
-
Marilee Turscak-MSFT 36,836 Reputation points Microsoft Employee
2020-10-14T00:18:05.503+00:00