CODEWITHSUNDEEP
azureazure-web-app-service
Intensivist
Intensivist

Reputation: 1027

How does [Authorize] attribute enhance Azure App Service (web app) authentication/authorization

I published a web app to Azures App Services. I used the App Service's Authentication/Authorization feature to provide security. I successfully added Active Directory features to my web service (and desktop client). It seemed to work very well. Couldn't access data from a browser or desktop client without signing in to the AD.

This was all before I added the [Authorize] attribute to any of the controllers in the API!

So, what will [Authorize] do (or add) to security in my web api. It seems to already be locked up by configuring the Authentication/Authorization features of the web app in Azure.

Upvotes: 0

Views: 636

Answers (2)

Bruce Chen
Bruce Chen

Reputation: 18465

So, what will [Authorize] do (or add) to security in my web api.

Using ILSpy, you could check the source code about AuthorizeAttribute under System.Web.Mvc.dll. The core code for authorization check looks like this:

protected virtual bool AuthorizeCore(HttpContextBase httpContext)
{
    if (httpContext == null)
    {
        throw new ArgumentNullException("httpContext");
    }
    IPrincipal user = httpContext.User;
    if (!user.Identity.IsAuthenticated)
    {
        return false;
    }
    if (_usersSplit.Length > 0 && !_usersSplit.Contains(user.Identity.Name, StringComparer.OrdinalIgnoreCase))
    {
        return false;
    }
    if (_rolesSplit.Length > 0)
    {
        string[] rolesSplit = _rolesSplit;
        IPrincipal principal = user;
        if (!rolesSplit.Any(principal.IsInRole))
        {
            return false;
        }
    }
    return true;
}

The main process would check httpContext.User.Identity.IsAuthenticated, then check whether the current user name, user role is authorized or not when you specifying the allowed Users,Roles.

For Authentication and authorization in Azure App Service(Easy Auth) which is implemented as a native IIS module. Details you could follow Architecture of Azure App Service Authentication / Authorization.

It seemed to work very well. Couldn't access data from a browser or desktop client without signing in to the AD.

This was all before I added the [Authorize] attribute to any of the controllers in the API!

Based on your description, I assumed that you set Action to take when request is not authenticated to Log in with Azure Active Directory instead of Allow Anonymous requests (no action) under your Azure Web App Authentication/Authorization blade.

Per my understanding, you could just leverage App Service Authentication / Authorization which provides built-in authentication and authorization support for you without manually adding middleware in your code for authentication. App service authentication would validate the request before your code can process it. So, for additional custom authorization check in your code, you could define your custom authorize class which inherits from AuthorizeAttribute to implement your custom processing.

public class CustomAuthorize : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        //TODO:
    }

    protected override void HandleUnauthorizedRequest(System.Web.Mvc.AuthorizationContext filterContext)
    {
        //TODO:
    }
}

Then, decorate the specific action(s) or controller(s) as follows:

[CustomAuthorize]
public class UsersController : Controller
{
   //TODO:
}

Upvotes: 1

Lee Liu
Lee Liu

Reputation: 2091

App Service's Authentication/Authorization feature is Based on IIS Level. [Authorize] attribute is based on our code level. Both of this can do Authentication, if you used both of them, it means that there are two levels of authentication in your web app.

Here is a picture that helps you understand them:

enter image description here

Upvotes: 0

Related Questions