Web Api 2 & OWIN: Authorizing a user against a client

Question

We are a developing an AngularJS single page application with an ASP.NET Web Api 2 REST API. We are using OWIN middleware and OAuth.

Our system consists of clients and users:

• Clients are organisations/companies.
• Users are employees of those companies. Users belong to a client.

At the moment, we are using the following check in every controller:

[Route("api/clients/{clientId}/orders/{orderId}")]
public IHttpActionResult GetOrder(int clientId, int orderId)
{
    if(UserComponent.GetUser(User.Identity.Name).ClientId != clientId)
    {
        return NotFound();
    }

    // Get order

    return Ok(orderModel);
}

See below sequence for more detail (refer to diagram):

1. Getting a token for the user (also returns clientId).

2. Accessing a client resource. User/client authorization:

   a. The user is authorized to access client resources, or

   b. The user is NOT authorized to access client resources.

Essentially, a user from client A should not be able to access a resource from client B.

What is the best way to authorize users against client resources?

Can we somehow defer this to OWIN (perhaps by using claims)?

Answer 1

Claims is a good option as you can send the clientId with the token and that sent back with each request and then you can check the user with the clientId against your datastore and validate the user's access against the resource which can be done through a filter for example.

For the authorization of the user request, a custom authorization attribute inherited from AuthorizeAttribute can do the job, you decorate your action by this attribute and this will run before your action and authorize your user against the clientid + resource or return 401 (unauthorize) if the user has no access.

Check this question for an idea about the custom authorize attribute ASP.NET MVC 4 Custom Authorize Attribute with Permission Codes (without roles)