Open Closed

Authentication/Authorization: Restricting access to an API service to specific client or consumer with new token #6908


User avatar
0
Yaduraj.Shakti created

We've set up an External API that's meant for a specific client or consumer. This client will be using Token-based authentication to access the API (either through a Controller or an AppService). However, we want to restrict their access only to this particular API and prevent them from accessing any of our other APIs.

The issue we're facing is that some of our controllers or AppServices don't have the [Authorize] attribute, and we need to protect those by requiring a token. Currently, if we generate a token, we can access these endpoints without proper authorization. We can't solve this using permissions because it requires us to decorate methods with Authorize("permission").

For instance, we generate a token from the endpoint: https://our-IdentityServer.com/connect/token using the default JWT Scheme. The parameters include:

grant_type: password scope: Microservice1, Microservice2, Microservice3, and so on client_id: App1 client_secret: xyz123 username: ExternalUser password: Test1234

Important: The token generate for client should not be able to access any of other restricted non-restricted (without [Autthorize] services) APIs of the system.

  • ABP Framework version: v7.4.0
  • UI Type: Angular
  • Database System: EF Core/ PostgreSQL
  • Tiered (for MVC) or Auth Server Separated (for Angular): yes/no
  • Exception message and full stack trace:
  • Steps to reproduce the issue:

6 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You can add ASP Net Core middleware that checks whether the requested endpoint are specific URLs if the current user name is ExternalUser.

  • User Avatar
    0
    Yaduraj.Shakti created

    Thanks @mailiming,

    In this case, for every new client, I would need to make changes in Middleware correct? What are some other option adhering to best practices. For example, Multiple authentication schemes, multiple clients for Identity server

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    For the endpoints that have [Authorize], you can refer to

    https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.Authorization/Volo/Abp/Authorization/AbpAuthorizationModule.cs#L35-L36

    https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.Authorization.Abstractions/Volo/Abp/Authorization/PermissionRequirement.cs

    https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.Authorization.Abstractions/Volo/Abp/Authorization/PermissionRequirementHandler.cs

    https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.Authorization/Volo/Abp/Authorization/AbpAuthorizationPolicyProvider.cs#L28

    For the endpoints that allow anonymity, there is no other way.

  • User Avatar
    0
    Yaduraj.Shakti created

    Thanks again,

    What exactly we can implement using those links? can you please explain or give a sample?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    Sure. I will share the code.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    private void ConfigureAuthentication(ServiceConfigurationContext context)
    {
        context.Services.AddAuthorization(options =>
        {
            options.DefaultPolicy = new AuthorizationPolicyBuilder()
                .RequireAuthenticatedUser()
                .AddRequirements(new DenyExternalUserAuthorizationRequirement()).Build();
        });
    }
    
    using System.Threading.Tasks;
    using Microsoft.AspNetCore.Authorization;
    
    namespace MyCompanyName.MyProjectName.Web;
    
    public class DenyExternalUserAuthorizationRequirement : AuthorizationHandler<DenyExternalUserAuthorizationRequirement>, IAuthorizationRequirement
    {
        protected async override Task HandleRequirementAsync(AuthorizationHandlerContext context, DenyExternalUserAuthorizationRequirement requirement)
        {
            // Do your check.
            // if (context.User is ExternalUser)
            // {
            //     context.Fail();
            // }
    
            context.Succeed(requirement);
        }
    }
    
    
Made with ❤️ on ABP v9.1.0-preview. Updated on December 13, 2024, 06:09