Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Authorization failure with resource - lack of documentation/warning/implementation

See original GitHub issue

I am unable to find documentation explaining how to either create an Authorize Attribute that allows the resource to be set so that you can have implicit authorization where the policy can adapt more dynamically to generate authorization at the individual resource level. I also cannot find documentation stating why we should not do it so I am not sure if this is for a future release.

I need to extend the Authorize attribute to allow passing of resource which seems to be possible in the extensions of AuthorizeAsync which contain 2 overloads with parameters of object? resource. I have read through most all of the authorization code and cannot figure out why there is no overload in the Authorize attribute to pass data from razor pages such as route parameter data or how to retrieve this inside of a policy/requirement to have dynamic resource level authorization in razor pages.

If this is intentional due to some security concern or otherwise, this needs to be noted. Otherwise, there should be documentation on how to accomplish this as it seems like a fairly common use case to require denial per individual resources such as by permission granted by resource id. If this is intended to be added in a future feature, please let me know. There do not appear to be other issues covering this either.

Issue Analytics

State:
Created 2 years ago
Comments:8 (5 by maintainers)

Top GitHub Comments

2reactions

javiercncommented, Nov 24, 2021

The appropriate way to achieve resource authorization in Blazor is to pass in the route data as the Resource parameter. That gives you access to the PageType and the RouteValues in the policy and can be used to implement any custom logic based on those. For example, your policy can grab the PageType and reflect over it to make an authorization decision.

<CascadingAuthenticationState>
    <Router AppAssembly="@typeof(App).Assembly">
        <Found Context="routeData">
            <AuthorizeRouteView Resource="@(routeData)" RouteData="@routeData" DefaultLayout="@typeof(MainLayout)" />
            <FocusOnNavigate RouteData="@routeData" Selector="h1" />
        </Found>
        <NotFound>
            <PageTitle>Not found</PageTitle>
            <LayoutView Layout="@typeof(MainLayout)">
                <p role="alert">Sorry, there's nothing at this address.</p>
            </LayoutView>
        </NotFound>
    </Router>
</CascadingAuthenticationState>

@guardrex can you add a section on the docs on how to do this in the way I mentioned?

0reactions

javiercncommented, Nov 24, 2021

@optimizasean If you want to do something like what you are proposing, you can create your own AuthorizationRequirement, but this is not something we plan to add out of the box.

Top Results From Across the Web

Resolve Microsoft Graph authorization errors

A common mistake that causes in this error is trying to use a token acquired for Azure AD Graph APIs, Outlook APIs, or...

Troubleshoot API key issues in Confluent Cloud

Authorization failure If your client stack trace shows authorization failures, here are some possible causes: Invalid API Key/Secret. Incorrect permissions or ...

Troubleshooting | Apps Script

This error indicates that the script is lacking the authorization needed to run. When a script is run in the Script Editor or...

Troubleshoot Config Connector

If your Config Connector resource has an UpdateFailed status with a message indicating a 403 error due to insufficient authentication scopes, then that...

Unexpected "authorization is required" error from google.script ...

A SHORT DESCRIPTION OF THE ISSUE: Unexpected/incorrect auth error if user is signed into multiple accounts, and is currently using a non-default account....