Reputation: 48
How to restrict multiple users having same role from accessing other users' data in a Web API when using JWT?
I have a ASP.NET Core Web API linked to a database, and in the database is a table containing User details and roles. There are 2 roles, Admin and Basic. The desired functionality using JsonWebToken is that user with role Admin should be able to add,edit, select and delete on all entries of the User table, whereas when a user with role Basic logs in, they should only be able to edit, view and delete only their own record. Suppose a user with ID 1 logs in, is there a way to only allow
https://localhost:44372/api/User/1 to be accessed by User 1 and
https://localhost:44372/api/User/2 should be inaccessible to them?
Also the same logic needs to be applied for delete and Update. Can anything that be done?
Upvotes: 0
Views: 708
Answers (1)
Reputation: 19941
Do check out the built in Resource-based authorization functionality in ASP.NET Core.
You can read more about it here:
Alternatively, you add the UserId claim included in the access token and then in the backend database queries include it to make sure you can only access what you are supposed to be able to access.
Upvotes: 1
Related Questions
- role based access with jwt and a lot of roles
- Web API Identity User with JWT on two API's sharing the same Auth params
- ASP.Net Core WebAPI Authorization Policy for User or Admin
- JWT Authentication by role claims in ASP.NET core Identity
- .Net core web api - Role based authorization (Allow specific domains without asking JWT)
- Prevent users to have multiple sessions with JWT Tokens
- Authorization by Role/Group in ASP.NET using Auth0
- how to prevent clients from use others jwt token in .net?
- How to authorize a WebApi endpoint to be consumed only for one specific user?
- ASP.NET Web API role based security