Develop Reference

Restricting Azure AD users from accessing web api controller

I have a web api application which I allow an access to only authorized user.
I do it by using attribute [Authorize] with controllers
Can I restrict from accessing the application a particular user with a given username even though he/she's in Azure AD?

Can I restrict from accessing the application a particular user with a given username even though he/she's in Azure AD?
What you need is to create a policy and check current user against this policy whenever you want.
There're two ways to do that.
Use a magic string to configure policy (e.g. [Authorize(policy="require_username=name")]), and then create a custom policy provider to provide the policy dynamically. For more details, see https://learn.microsoft.com/en-us/aspnet/core/security/authorization/iauthorizationpolicyprovider?view=aspnetcore-2.2
Create a static policy and use a custom AuthorizeFilter to check whether current user is allowed.
Since this thread is asking "Restricting Azure AD users from accessing web api controller", I prefer to the 2nd way.
Here's an implementation for the 2nd approach. Firstly, let's define a policy of requirename:
services.AddAuthorization(opts =>{
opts.AddPolicy("requirename", pb => {
pb.RequireAssertion(ctx =>{
if(ctx.User==null) return false;
var requiredName = ctx.Resource as string;
return ctx.User.HasClaim("name",requiredName);
});
});
});
And to check against this policy, create a custom AuthorizeFilter as below:
public class RequireNameFilterAttribute : Attribute, IAsyncAuthorizationFilter
{
public string Name{get;set;}
public RequireNameFilterAttribute(string name) { this.Name = name; }
public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
{
var user= context.HttpContext.User;
if(user==null){
context.Result = new ChallengeResult();
return;
}
var authZService = context.HttpContext.RequestServices.GetRequiredService<IAuthorizationService>();
var result= await authZService.AuthorizeAsync(user, this.Name, "requirename");
if (!result.Succeeded) {
context.Result = new ForbidResult();
}
}
}
Finally, whenever you want to deny users without required names, simply decorate the action method with a RequireNameFilter(requiredName) attribute:
[RequireNameFilter("amplifier")]
public string Test()
{
return "it works";
}
[Edit]
AAD can restrict Azure AD users from accessing web api controller on an Application level. But cannot disallow an user to access a Controller API (API level).
Here's how-to about restricting Azure AD users on an Application Level
Login your Azure portal:
Choose an Activity Directory (e.g. Default Directory)
Click [Enterprise applications]
Choose the application you want to restrict (e.g. AspNetCore-Quickstart)
Select [Properties], Change the [User assignment required] to Yes
Select [Users and groups], Add/Relete users for this application as you need :
Be aware Azure AD is actually an Indentity Provider. This approach only works for the entire application. It's impossible to allow some user to access the App but disallow him to access a specific controller without coding/configuring the Application. To do that, we have no choice but to authorize uses within the application.

How to only allow a specific user to create new users in Firebase?

There are a lot of posts and discussions about restricting read/write access to specific users in the Firebase real-time database. However, I am not able to find a way to restrict the creation of new users to only a specific user/admin.
My application consists of a manager and employees. Only the manager should be able to add new users (employees) to the database along with having access to specific data which employees cannot access. From my understanding, the API which Firebase provides means that any client can create new users.
Could someone please guide me on how I can achieve this?

You can do as follows:
Firstly, create an admins node in your database to which you add the admin/manager user(s) with their userId, as follows:
- admins
- Br8kiG5....
- users
- Abcd88676....
- ....
- JHgU76hgh....
- ....
Secondly, set-up some security rules as follows,
{
"rules": {
"users": {
".write": "auth != null && root.child('admins').hasChild(auth.uid)",
".read": .....
".indexOn": .....
},
.....
}
}
Thirdly, implement the Firebase authentication in your app and only the user(s) listed under the admins database node will be able to write under the users node.

Auth0 subscription plan app_metadata

I'm developing a quiz app which requires authorization for only-subscribed members can see.
How to do that? I'm thinking of putting metadata (is_subscribed) to true for subscribed member and give the scope so he/she can gain permissions.
But, I don't know how to do it. Please help. The docs is so confusing

There are two separate concerns here.
Where to keep the subscription information. app_metadata is fine, or you might choose to do so in a backend database (application specific). A client application will probably handle subscriptions and be in charge of updating that value. If you store the value in app_metadata, you will use Management API v2 to alter the user profile from the application that handles subscriptions.
Add an authorization scope based on the subscription status. In this case, you would use a rule to add a custom scope based on the value of the is_subscribed field. I.e.:
function(user, context, callback) {
if (user.app_metadata && user.app_metadata.is_subscribed) {
context.accessToken.scope = ['read:quiz'];
} else {
// remove the ability to read a quiz if not subscribed.
context.accessToken.scope = [];
}
callback(null, user, context);
}
If you decided to store the subscription information in a backend database instead of in the app_metadata, you would simply access the database from the rule in the above code.

How to create a jhipster application with different user role?

I want to create a jhipster application with different user role ( a client,
seller ...) but I don't know how since a jhipster generate automatically a list of users(admin, user)

If you want to create new Role with some rules, you must:
1. Add this role to
src/main/resources/config/liquibase/authorities.csv
like this:
NAME_OF_YOUR_ROLE
2. Connect this role with some user to
src/main/resources/config/liquibase/users_authorities.csv
like this:
5;NAME_OF_YOUR_ROLE
where 5 - is number of user in users.csv
3. Add to AuthoritiesConstants.java
public static final String NAME_OF_YOUR_ROLE = "NAME_OF_YOUR_ROLE";
Then you can work with your role in Spring Security or in AngularJs

Sitecore 6 Is it possible to change roles for virtual user when already logged in?

In Sitecore 6 is it possible to change roles for virtual user when already logged in?
I would like to change roles for virtual users that are already logged in to system, but it looks like Sitecore ignores it. I can clear roles and add a new one but all the old roles are still attached to the user.
I think I should to re-login the user but it is not the case for me.
virtualUser.RuntimeSettings.AddedRoles.Clear();
virtualUser.Roles.RemoveAll();
if (permissions != null && permissions.Any())
{
foreach (var role in permissions.Where(d=>!string.IsNullOrEmpty(d.Type)))
{
string domainRole = string.Format("{0}\\{1}", "extranet", role.Type);
if (SC.Security.Accounts.Role.Exists(domainRole))
{
virtualUser.RuntimeSettings.AddedRoles.Add(domainRole);
}
}
}

You can try to use
Sitecore.Caching.CacheManager.ClearSecurityCache(userName);
This method calls another methods:
CacheManager.ClearUserProfileCache(userName);
CacheManager.ClearIsInRoleCache(userName);
CacheManager.ClearAccessResultCache(userName);
So in theory it should do what you need but I haven't confirmed it in practice.

It seems to be that login-out and re-login will set the correct roles because during login the AuthenticationManager will clear the SecurityCache which holds the UserProfile and the Roles.
I don't see a method to add new Roles to the current authenticated user.