authention and authorization in .net

Also known as "authn". Describes who a person is.

e.g.

  • this user's name is Dan Conley
  • this user's user id is 413
  • this user's email is dconley@acvauctions.com
  • this user is a member of the Magnacar dealership
  • this user is in the ACV Employees group
  • this user is in the Engineering group
  • this user is in the Business Operations Engineering group

Also known as "authz". Describes what a person can do.

e.g.

  • is this user allowed to update this auction?
  • is this user allowed to view this resource?

claims based authorization uses the statements -- claims -- added by the authentication process to answer the questions asked by authorization:

how is this different from policy based authentication? since a polixy checks claims...

authorization checks pass if any predicate is true

This allows us to have an authorization handler that checks if a user has the IsSuperUser claim (which is given in Django and isn't perfect: we might need something else soon) that passes all authz checks. sudo-in-code.

This didn't actually work out, as the roles weren't present in the DataHub Organization v2 events. We were able to use the tools_user role included in the JWT, but that provided other issues (such as when that wasn't present in the internal tools JWT at first).

Member of Organization Policy
Staff Policy
Member of Organization Requirement
Account is X days old Requirement
Staff Requirement
Member of Organization Handler
Staff Handler
SuperUser Handler
Account Age Handler
Pages mentioning this page
Tech