Custom role based Authorization in Asp.Net Core Web API 5.0 & Angular

Question

I have an already existing database containing Two tables like User Details, UserRole. Each user can have many custom roles. I have an Angular UI application, when UI calls any action method in any of the controller, then How will I check for the User role to check for Authorization? Note-: UI will send me the UserID on every request. I don't want to use Asp.Net Identity for user Authorization. How to proceed in this situation? Do I need to query the Database in every action method which requires Authorization & fetch the role of the user?

Answer 1

I would recommend using JSON Web Tokens (JWT). You don't need to use ASP.NET identity to use JWT. When the user logs in, create a JWT on the server that contains who they are and what their roles are, then pass that back to your Angular client.

The client then needs to pass that JWT with each service request in a header that will look something like:

{ "Authorization": "bearer <your token>" }

This way, your service code won't need to look up the user in the DB on every request. It's also more secure, as properly signed JWTs can't be hacked, while if you're just passing an unencrypted UserId which someone could easily set a breakpoint in Chrome dev tools, and manually change to whatever they wanted.

Check out Using Bearer/Jwt authorization without Identity and https://blog.angular-university.io/angular-jwt-authentication/.

Good luck!