Thinktecture claims authorization workflow. How does it work?

Question

I have installed the Thinktecture.IdentityModel.Core package.

Suppose I've registered my custom implementation of AuthorizationManager in web.config file.

public class AuthorizationManager : ClaimsAuthorizationManager {
    public override Boolean CheckAccess(AuthorizationContext context) {
        // authorization implementation
    }
}

There are a permissions defined in the application db for user roles. So that User might have Read permission for Blogs and Arts resources if it is in a BasicUser role.

The workflow as I see it:

1. at login you make a db query to fetch all action-resources pairs from all assigned roles for the authenticated user
2. then you gotta add claims (based on the db query result) to the identity
3. ClaimsAuthorizationAttribute makes a call to the ClaimsAuthorizationManager
4. ClaimsAuthorizationManager internally checks the authentication cookie with claims from the step 2

Am I right?

Or am I supposed to do a database permission lookup inside the CheckAccess method? Will this work on a per-request basis?

Howcome I transform/attach the db-fecthed set of action-resources into identity claims?

Answer 1

Inside the checkaccess method you are not supposed to lookup database. You are supposed to check whether claims Inside AuthorizationContext allows the user to access action/ressources. Claims are supposed to be filled during Authentication.

At login, you can fetch roles from you database and add them to the claims then the claims can be stored in the cookie or in session to avoid fetching them on each request. Cookie or Session storage of claims is handled natively (and securely) using the right configuration.