ensuring that an individual is who they claim to be is the function of _____. This is a topic that many people are looking for. star-trek-voyager.net is a channel providing useful information about learning, life, digital marketing and online courses …. it will help you have an overview and solid multi-faceted knowledge . Today, star-trek-voyager.net would like to introduce to you ASP.NET Core – Roles vs Claims vs Policy. Following along are instructions in the video below:
Bad bad everyone welcome to my video about roles versus claims versus policy. First of of all i want to thank you for 200 subscribers. And this will be my of explaining.
This topic which many of you asked for and i havent really i dont think ive really given a compelling explanation. So this is what this video is gonna be about trying to explain rules claims policy. When do you want to use war.
And hopefully give you a better understanding when you want to accomplish a task. What what do you want to turn to okay so rolls force claims or suppose whats the difference. Whats up right boom.
Okay so lets start with rolls rolls is essentially a boolean type. I want you to think of it as a boolean type because a roll the user is that theyre either in it or he isnt right and they roll either protects a function or it doesnt right so you have some sort of functionality and you have some sort of user. So if the user is in a roll.
He has access to the function that the roll protects as well right so the role essentially encapsulate s. The user and the function. So this is essentially just a little diagram i use this as you can see my math skills are improving.
But yeah essentially this is what roll is so you have a roll you have the users there in the roll and they have access to these functions all right claims claims are all bit different you well not a little bit. Theyre entirely different theyre a key value pair. So if you look at this claim bubble here essentially.
This is an email. So you specifying a key or a type so you can say its an email. Its a username.
Its an image you can have all sorts of claims right and this claim belongs to a user or an entity and claims are used to describe that entity all right so theyre essentially user properties and they they tell the program or the context in which theyre used something about the user. So thats what claims are and if we go to policies. Theyre just functions policies are just thunk functions.
Which are they basically start here with the context. And when we make a request to a page. Which is protected by a policy.
They go to this policy and its essentially a function. Which basically takes this context and it looks at it and goes right. This is the user is trying to access this thing and right lets check the database files or however you configure this function to work its gonna execute.
It and then its gonna say either right youre good to go or sorry. Buddy you are not allowed to go here. And its gonna give you a 403.
Okay so lets go ahead. And ive set up a project here at this project. Im gonna make it available on github.
So you can go in and download. It and lets first take a look at roles lets take a look at the setup of the project. So start up.
I basically this is the default template kind of thing. And lets make the code. A little bit bigger and like so right so essentially i have my identity set up here and some policies as well.
But well go drill into them a little bit more in detail later on and then in the program cs file. I essentially seed an admin user and for that admin user i create an admin role okay so lets fire this up. Ill put it to the side here.
And ill create another window. Ill just put it to the side here okay. So whats happening here.
While its loading up. It is going to create a database cold let me refresh. This actually.
Authorization. Tutorial. And you can find the connection string.
For this and the upsetting stuff jason here. It is this database and the server that its pointing to so. If you have visual studio installed you shoud you should have this local database.
Okay so lets bring this up again and let me log out here because i already was testing this and was logged in okay. So essentially what we have to start with lets open this up tables. And lets look at the users.
We have this one admin user here admin test calm so lets go ahead and login there we go. And i have these two roots on top right. So roll test is essentially a page that ive set up to so the index page will essentially grab grab all the users and display their roles right and you have your roles as worth as well.
So we can go ahead and create something like a manager at test comm right. So this is going to be a manager user right so now that we have created this manager user. Hes gonna appear here and by default.
I set the password password easier to be able to access these accounts easier so. And then we can go ahead and create a role manager okay. And we can do something sort of grab this manager grab.
The manager role and add the role or you can also add the role to the admin so admin can have manager and admin role or we can go ahead and remove theyre also all this function. Im not gonna go over the functionality. Its pretty much self explanatory and its all in this one controller.
So i havent split it up into any files. Everything is in here and everything is relatively simple so for now were gonna focus on roles the role a role access and thats sort of thing so for now. I have this controller protected with the admin role right so i created this manager user.
And i gave him a role of manager. Okay. So let me go ahead copy this url go into here and lets say manager at test comm password.
Okay and you see that access is denied so im trying to access this page. And its tonight. So essentially again a roll is a boolean right so manager.
A testicle is he a manager yes is the roles and tests allowed for managers. No okay so going into policies. We can use the roles to enforce policy.
So again policies are functions and we can basically we give this function a name something like admin access and right. We say policy that the user will have a require role of admin right so this is admin access. So if we go to the policy test here i have to three pages.
Sorry admin page. Which will go into policy control. So we have the admin page.
Which has admin access. Which is right here manager access. Which is going to check that the user is either in a role of admin or manager and user access is admin manager or user role right so we can go ahead.
And also go into roles test add a user at test comm. Lets create this user. Lets create a user role grab this user.
And give em him a role as well right so being a manager you can access the user page and you can access the manager page. But you cannot access the admin page and being an admin you can access the user page manager page and admin page. So again going back to the presentation.
So our role as you can see encapsulate this function of for now the roles controller. So this whole class and all the function is are all the functions are protected by this role. So all these functions belong here to this role and all the users that are in this admin role have access to these functions right and we have the policy.
So the policy has access to the context and the context is pretty much the current state of the user in the aspnet core application right and the database. We can when i create it its possible to create filters and im gonna enough filters. But handlers i will show you how to we do that on claims policy.
But essentially you can see that here were creating functions where we are able to manipulate the rope and basically provide some additional function based based on theyre also saying things like right the function is now protected or rather your axis is depending on your role and more than one role can be involved in determining whether you have access or not okay. Let me close all of these documents. Let me stop the application and lets go ahead and go into claims.
So claims is pretty much the same. I have the program file here. Which essentially says create admin clay manager claim and date start a claim manager.
Admin. Claim are gonna be pretty much useless. Here and essentially.
Im saying right if youre on this project. First add these claims and if youve run. The other project just add the claims to the to this user.
Which is admin attest. The one we see it in roles and i have the app settings. Its pointing to the same database.
So everything that you have created in the previous project will be retained for this claims project as well okay so what am i doing different in this project. So based on claims. So i have this claims controller right and i have this years work right so what is this years work.
This is my custom filter type filter. And its a type of authorization filter. So if you know anything about i have middleware in or rather.
Not middleware filters in dotnet core. Authorization filters are executed first before any other filters. So this is whats going to be executed before it grants you access to this method right so what am i doing in this filter in this filter.
Im getting the context. Im getting the user so im chicken is he authenticated if not i returned enough for unauthorized result and then im basically getting the date started so ive basically set up this project to imitate the functionality of giving out rewards to users based on how long they worked at the company you can also say how long theyve been signed up to your a website. How long theyve been doing something right so.
Its trying to mimic or implement that functionality okay and this is what im basically checking for claims. And im looking for this date started. Im getting the value i know im doing as im prefer performing some logic in this authorization filter right so you might take if if youre catching on to if you remember the word policies were you might think right why are you not using a function or rather.
Why are you not using the policy function isnt that what its made for well yeah. That is what its made for but imagine if you didnt have policies. This is what you would have to do youd have to carry a filter and this is what you would have to do right so a claims policy.
I have these pages that are not in this policy page. But theyre here and then i have links so lets go ahead fire this one up ill put it here to the side and im gonna take this here. Im actually gonna close this okay so let me log out let me look back in as admin.
Okay. Now lets go to roles tests is it this same website. Yeah.
It is pardon. So im going to select the different project to run let me fire this up you you so now that thats this project is urn lets go ahead into our. Database again and lets look at aspnet user claims right so this is where its gonna essentially create the claims for our user so you can see the user id this is the admin id right this is the claims that is created okay.
So let me open up this window. Now put it here. Lets login as admin dot test right and let me login as manager factus com.
Laughter so this manager. Were still quite remember were still pointing to the same database. So now i have access to this login on a different website.
Okay so lets go to claims the testing here you can see all different claims right and here are the three claims that i have added manually and here you can see this roll right that is essentially stating. There also when we assigned our user to the role of admin. A has translated to this as well so if we go on our manager.
You can see that the roll is still a claim. Right but just of the just because of the implementation and is pnet core and its semantical meaning role is still this bubble capsule eights the users and the functionality in this bubble. Okay so going forward to have we work two years yes.
By the way i have set in my program. Yes. When i see that the claims.
I have set the date started form admin user in 2010. So its 2019 right now. So hes essentially worked nine years okay.
So we would be able to access two years five years and ten years so five years. No problem ten years and we get a 401 unsent ik ated right and if we gone. Our manager.
We try to visit two years might probably get an exception right because we dont have this claimant that ill probably need to implement something to handle that functionality. Okay. Now i essentially then went ahead.
And said right why am. I creating my own author is the attribute i can create a filter. Sorry and policy handler.
So a policy function that will handle this for me okay so in my startup. I have this so essentially what im doing is im creating a requirement. Which is minimum years work requirement and im passing some kind of value to it and then i am using this requirement.
Let me put this two new lines. I cant because its running all right so i have this minimum year requirement here and based on this requirement. Im essentially doing the same thing.
Im doing in this attribute so you will see that these functions look very very similar all right im doing the same thing. Except how it returns the completed status is a little bit different. But yet essentially is doing the same thing.
Its taking this claim theyd start it. And its checking its value based on the value that we have registered here right so when in my startup. When i define these policies work two years worked five years.
I give names to these functions right and then i create this parameter. Which is then implemented by this handler okay so in my this would look like this and my policy. So essentially what its saying before accessing this controller you have to go through this function right so if wed again go to policy test.
Were now at policy and if we go to two years. We have access five years. We have access ten years.
We get an unauthorized right so policy is really again its a function that can use either roles or claims or database based on the user. Thats accessing it can either provide you access or deny you access to functions all right. And if we go to here policy.
Two years and again i crush us because we dont have claims so you potentially want to be implementing. This check okay so this will be essentially for this episode. And lets again just as a refresher go back to these roles.
And i mean go back over go over these slides again after youve seen the project and how i attempted to tackle some of the tasks again roles roles and capsulate functions and users. So if you have an admin control panel panel. It would make sense to have an admin role and protect all those functions with an admin role.
Ok so if you have a specific a specific amount of functions and you want those functions to be only available to certain users you might want to opt in for roles right. But you can also send claims so you can actually just create a claimed role called roles and you can put whatever claims you want in there and really. Its up to you to decide which to pick claims the roles based on the semantical meaning of how microsoft defines it in aspnet alright.
So role is this thing. Which has users and functions assigned to this role and the claims are something that define a user right so i dont think you necessarily want to mix them you either want to pick one or two so claims are essentially essentially provide you the functionality of roles in the long term. But they also provide you with a little bit more customized ability because its a key value pair.
So you can have as youve seen how many years have you worked for it can give you that level of authorizing functions all right and policies are essentially those functions. Which basically theyre basically saying based on who is accessing theyre gonna perform some tasks and theyre gonna say right youre either allowed to do it or not so policies essentially. They dont have anything to do with roles or claims.
They use roles and claims to decide whether you have access or not okay. So the real question. Here is should you be using roles and claims and thats for you to decide in your application based on the application that youre building do you need the flexibility of claims or are you okay with just having roles and secure securing and delegating access to functions based on the roles or do you need to know that the user has some sort of a value assigned to like an email.
If or a domain. If you come from a different domain. So you might have a windows authentication in your company.
And you might say write one users come from one domain. Another users come from another domain so based on the domain we are were gonna delegate access or based on your role or access level you know that sort of thing. So if youre in a big company and youre building a big application claims might be your pick.
If youre building something small. And you dont need a lot of flexibility and you really really just need to secure a function and when the user comes in and you want to give them access to these functions. It might be okay with going for roles and if you dont need a big level of configuration.
The were for this video thanks for watching. If you have any questions leave them in the comments. Id love to answer your questions.
If you enjoy this video like subscribe. I do a lot of cool tutorials on my channel. Not only does my core.
But also ujs and theres gonna be a lot more videos to come so if you want to stick around dont forget to subscribe and hopefully ill see you around in my other videos have a good day .
Thank you for watching all the articles on the topic ASP.NET Core – Roles vs Claims vs Policy. All shares of star-trek-voyager.net are very good. We hope you are satisfied with the article. For any questions, please leave a comment below. Hopefully you guys support our website even more.