authention and authorization in .net

Also known as "authn". Describes who a person is.

e.g.

  • this user's name is Dan Conley
  • this user's user id is 413
  • this user's email is dconley@acvauctions.com
  • this user is a member of the Magnacar dealership
  • this user is in the ACV Employees group
  • this user is in the Engineering group
  • this user is in the Business Operations Engineering group

Also known as "authz". Describes what a person can do.

e.g.

  • is this user allowed to update this auction?
  • is this user allowed to view this resource?

claims based authorization uses the statements -- claims -- added by the authentication process to answer the questions asked by authorization:

how is this different from policy based authentication? since a polixy checks claims...

authorization checks pass if any predicate is true

This allows us to have an authorization handler that checks if a user has the IsSuperUser claim (which is given in Django and isn't perfect: we might need something else soon) that passes all authz checks. sudo-in-code.

This didn't actually work out, as the roles weren't present in the DataHub Organization v2 events. We were able to use the tools_user role included in the JWT, but that provided other issues (such as when that wasn't present in the internal tools JWT at first).

graph TD
memberPolicy[Member of Organization Policy]
staffPolicy[Staff Policy]
memberReq[Member of Organization Requirement]
ageReq[Account is X days old Requirement]
staffReq[Staff Requirement]
memberHandler[Member of Organization Handler]
staffHandler[Staff Handler]
superHandler[SuperUser Handler]
ageHandler[Account Age Handler]

memberPolicy-->memberReq
memberPolicy-->ageReq
staffPolicy-->staffReq

memberReq-->memberHandler
memberReq-->staffHandler
staffReq-->staffHandler
ageReq-->ageHandler
memberReq-->superHandler
ageReq-->superHandler
staffHandler-->superHandler
Pages mentioning this page
Tech