Refactored scopes policy

Tiago Brenck · Tiago Brenck · commit 5132107617d6 · 2020-02-18T17:47:22.000-08:00
diff --git a/4-WebApp-your-API/4-2-B2C/TodoListService/AuthorizationPolicies/ScopesRequirement.cs b/4-WebApp-your-API/4-2-B2C/TodoListService/AuthorizationPolicies/ScopesRequirement.cs
@@ -8,26 +8,34 @@
 
 namespace TodoListService.AuthorizationPolicies
 {
-    /// <summary>
-    /// AuthorizationHandler that will check if the scope claim has the requirement value
-    /// </summary>
-    public class OperationScopeHandler : AuthorizationHandler<OperationAuthorizationRequirement>
+    public class ScopesRequirement : AuthorizationHandler<ScopesRequirement>, IAuthorizationRequirement
     {
+        string[] _scopes;
+
+        public ScopesRequirement(params string[] scopes)
+        {
+            _scopes = scopes;
+        }
+
+        /// <summary>
+        /// AuthorizationHandler that will check if the scope claim has the requirement value
+        /// </summary>
         protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
-                                                       OperationAuthorizationRequirement requirement)
+                                                        ScopesRequirement requirement)
         {
+            // If there are no scopes, do not process
             if (!context.User.Claims.Any(x => x.Type == ClaimConstants.Scope)
-                   && !context.User.Claims.Any(y => y.Type == ClaimConstants.Scp))
+               && !context.User.Claims.Any(y => y.Type == ClaimConstants.Scp))
             {
                 return Task.CompletedTask;
             }
 
             Claim scopeClaim = context?.User?.FindFirst(ClaimConstants.Scp);
 
-            if(scopeClaim == null)
+            if (scopeClaim == null)
                 scopeClaim = context?.User?.FindFirst(ClaimConstants.Scope);
 
-            if (scopeClaim != null && scopeClaim.Value.Split(' ').Contains(requirement.Name))
+            if (scopeClaim != null && scopeClaim.Value.Split(' ').Intersect(requirement._scopes).Any())
             {
                 context.Succeed(requirement);
             }
diff --git a/4-WebApp-your-API/4-2-B2C/TodoListService/Startup.cs b/4-WebApp-your-API/4-2-B2C/TodoListService/Startup.cs
@@ -46,11 +46,11 @@ public void ConfigureServices(IServiceCollection services)
             {
                 // Create policy to check for the scope 'read'
                 options.AddPolicy("ReadScope", 
-                    policy => policy.Requirements.Add(new OperationAuthorizationRequirement { Name = "read" }));
+                    policy => policy.Requirements.Add(new ScopesRequirement("read")));
             });
 
             // Registering an authorization handler that will check if the scope claim has the requirement specified by the policy
-            services.AddSingleton<IAuthorizationHandler, OperationScopeHandler>();
+            //services.AddSingleton<IAuthorizationHandler, ScopesRequirement>();
         }
 
         // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.

Original file line number	Diff line number	Diff line change
`@@ -8,26 +8,34 @@`
`8`	`8`
`9`	`9`	`namespace TodoListService.AuthorizationPolicies`
`10`	`10`	`{`
`11`		`- /// <summary>`
`12`		`- /// AuthorizationHandler that will check if the scope claim has the requirement value`
`13`		`- /// </summary>`
`14`		`- public class OperationScopeHandler : AuthorizationHandler<OperationAuthorizationRequirement>`
	`11`	`+ public class ScopesRequirement : AuthorizationHandler<ScopesRequirement>, IAuthorizationRequirement`
`15`	`12`	`{`
	`13`	`+ string[] _scopes;`
	`14`	`+`
	`15`	`+ public ScopesRequirement(params string[] scopes)`
	`16`	`+ {`
	`17`	`+ _scopes = scopes;`
	`18`	`+ }`
	`19`	`+`
	`20`	`+ /// <summary>`
	`21`	`+ /// AuthorizationHandler that will check if the scope claim has the requirement value`
	`22`	`+ /// </summary>`
`16`	`23`	`protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,`
`17`		`- OperationAuthorizationRequirement requirement)`
	`24`	`+ ScopesRequirement requirement)`
`18`	`25`	`{`
	`26`	`+ // If there are no scopes, do not process`
`19`	`27`	`if (!context.User.Claims.Any(x => x.Type == ClaimConstants.Scope)`
`20`		`- && !context.User.Claims.Any(y => y.Type == ClaimConstants.Scp))`
	`28`	`+ && !context.User.Claims.Any(y => y.Type == ClaimConstants.Scp))`
`21`	`29`	`{`
`22`	`30`	`return Task.CompletedTask;`
`23`	`31`	`}`
`24`	`32`
`25`	`33`	`Claim scopeClaim = context?.User?.FindFirst(ClaimConstants.Scp);`
`26`	`34`
`27`		`- if(scopeClaim == null)`
	`35`	`+ if (scopeClaim == null)`
`28`	`36`	`scopeClaim = context?.User?.FindFirst(ClaimConstants.Scope);`
`29`	`37`
`30`		`- if (scopeClaim != null && scopeClaim.Value.Split(' ').Contains(requirement.Name))`
	`38`	`+ if (scopeClaim != null && scopeClaim.Value.Split(' ').Intersect(requirement._scopes).Any())`
`31`	`39`	`{`
`32`	`40`	`context.Succeed(requirement);`
`33`	`41`	`}`
Original file line number	Diff line number	Diff line change
`@@ -46,11 +46,11 @@ public void ConfigureServices(IServiceCollection services)`
`46`	`46`	`{`
`47`	`47`	`// Create policy to check for the scope 'read'`
`48`	`48`	`options.AddPolicy("ReadScope",`
`49`		`- policy => policy.Requirements.Add(new OperationAuthorizationRequirement { Name = "read" }));`
	`49`	`+ policy => policy.Requirements.Add(new ScopesRequirement("read")));`
`50`	`50`	`});`
`51`	`51`
`52`	`52`	`// Registering an authorization handler that will check if the scope claim has the requirement specified by the policy`
`53`		`- services.AddSingleton<IAuthorizationHandler, OperationScopeHandler>();`
	`53`	`+ //services.AddSingleton<IAuthorizationHandler, ScopesRequirement>();`
`54`	`54`	`}`
`55`	`55`
`56`	`56`	`// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.`