Apahdos
Reputation: 83
What is the difference between authorization claims and request parameters in ASP.NET?
What is the difference between using an authorization claim or role, and using the parameter of a, let's say, GET request?
For example, I want a user to access only his own data.
I can have a controller with two GET method - first using the parameter:
[HttpGet]
[Authorize]
public async Task<ActionResult<IEnumerable<DataDTO>>> GetData(long userId)
{
return _context.Data.Select(data => CreateDataDTO(data)).ToListAsync();
}
And according to this answer using the claim:
[HttpGet]
[Authorize]
public async Task<ActionResult<IEnumerable<DataDTO>>> GetData()
{
//[...]
var user = (System.Security.Claims.ClaimsIdentity)User.Identity;
var userId = user.FindFirstValue("UserId");
return _context.Data.Select(data => CreateDataDTO(data)).ToListAsync();
}
I might answer this myself by asking: is the only difference, that the one (claim) is getting encoded into a JWT Token, while the other (param) is readable by anyone observing the traffic?
Upvotes: 0
Views: 29
Answers (0)
Related Questions
- What are all the user accounts for IIS/ASP.NET and how do they differ?
- Server.MapPath("."), Server.MapPath("~"), Server.MapPath(@"\"), Server.MapPath("/"). What is the difference?
- In C#, what is the difference between public, private, protected, and having no access modifier?
- What is the difference between Server.MapPath and HostingEnvironment.MapPath?
- What is the difference between ExecuteScalar, ExecuteReader and ExecuteNonQuery?
- What is the claims in ASP .NET Identity
- Difference Between ViewResult() and ActionResult()
- Difference between <system.web> and <system.webServer>?
- What is the difference between 'classic' and 'integrated' pipeline mode in IIS7?