/// <summary>
/// Policies are looked up by string name, so expect 'parameters' to be encoded (embedded) in the policy names (errr-don't blame me).
/// </summary>
/// <param name="encodedPolicyName">A colon ':' delimited string of three values [<see cref="RightType>"/>:<see cref="Permission"/>:<see cref="string"/>]</param>
/// <remarks>
/// For Encoding and Decoding see <see cref="PolicyName"/>
/// </remarks>
public Task <AuthorizationPolicy> GetPolicyAsync(string encodedPolicyName)
{
// here's the other end of the magic to decode the string with the requirement details
var requirementDetails = PolicyName.Deserialise(encodedPolicyName);
// If the policy name doesn't match the format expected by this policy provider,
// try the fallback provider. If no fallback provider is used, this would return
// Task.FromResult<AuthorizationPolicy>(null) instead.
if (requirementDetails == null)
{
return(FallbackPolicyProvider.GetPolicyAsync(encodedPolicyName));
}
var policy = new AuthorizationPolicyBuilder();
policy.RequireAuthenticatedUser();
// Set multiple bearer tokens. This pairs with .AddAuthententication to expose
// multiple www-authenticate headers on a 401
//
// see https://stackoverflow.com/questions/49694383/use-multiple-jwt-bearer-authentication
//
policy.AuthenticationSchemes.Add(AuthenticatorDefaults.ExternalAuthenticationSchemeName);
// now we can hand in the requirements from the attribute into the policy which what we really want to do
policy.AddRequirements(
new HasPermissionsOnResourceRequirement(
requirementDetails.Type,
requirementDetails.Access,
requirementDetails.ResourceKey));
return(Task.FromResult(policy.Build()));
}
public AuthoriseAttribute(
RightType type,
Permission permission = Permission.None,
string resourceKey = ResourceKey.Id)
{
// here's the magic of a delimited string
Policy = PolicyName.Make(type, permission, resourceKey).Serialise();
}
