Home > database >  How is access restricted in the ASP.NET Core web app template when using ASP.NET Core Identity
How is access restricted in the ASP.NET Core web app template when using ASP.NET Core Identity

Time:10-29

I have an ASP.NET Core 5 web app that's using ASP.NET Core Identity for authorization. I have scaffolded all of the Identity UI so that I can see how it works.

Within the scaffolded Razor pages in the "Identity" area, I can see several page model classes that are decorated with [AllowAnonymous], but I can't see any reference to anything that restricts access.

There must be something somewhere, though, because some pages in the template website are accessible when not signed in (even though they do not have [AllowAnonymous]), yet most pages in the scaffolded Identity area are not accessible unless signed-in.

How is this achieved? I expected to see a call to AuthorizeFolder (or AuthorizeAreaFolder) but I can't see one anywhere in the project.

I'd like to add some authorization rules of my own, but I'd like to know what the existing rules are before I start making changes.

CodePudding user response:

To maintain full control of the Identity UI, run the Identity scaffolder and select Override all files.

You might want to do this to have full control of the Identity UI.

public void ConfigureServices(IServiceCollection services)
{
    services.Configure<CookiePolicyOptions>(options =>
    {
        options.CheckConsentNeeded = context => true;
        options.MinimumSameSitePolicy = SameSiteMode.None;
    });

    services.AddDbContext<ApplicationDbContext>(options =>
        options.UseSqlServer(
            Configuration.GetConnectionString("DefaultConnection")));

    services.AddIdentity<IdentityUser, IdentityRole>()
        // services.AddDefaultIdentity<IdentityUser>()
        .AddEntityFrameworkStores<ApplicationDbContext>()
        .AddDefaultTokenProviders();

    services.AddMvc()
        .AddRazorPagesOptions(options =>
        {
            options.Conventions.AuthorizeAreaFolder("Identity", "/Account/Manage");
            options.Conventions.AuthorizeAreaPage("Identity", "/Account/Logout");
        });

    services.ConfigureApplicationCookie(options =>
    {
        options.LoginPath = $"/Identity/Account/Login";
        options.LogoutPath = $"/Identity/Account/Logout";
        options.AccessDeniedPath = $"/Identity/Account/AccessDenied";
    });

    // using Microsoft.AspNetCore.Identity.UI.Services;
    services.AddSingleton<IEmailSender, EmailSender>();
}

Reference: Create full Identity UI source

Simple authorization in ASP.NET Core

Razor Pages authorization conventions in ASP.NET Core

  • Related