In ASP.Net Web Forms, you could add the <allow users...> and <deny users...> tags in web.config to control access to your website.
I'm building a Blazor server side app in .Net 6.0, hosted in IIS, that uses windows authentication. I would like to allow only certain domain users to access the site, but it looks like Blazor doesn't support those web.config tags.
I'm assuming appsettings.json would be the place to hold that information. I can create a custom sub-section with a list of users that I could validate in code, but is there a standard/better way? I've read about a security sub-section in appsettings, but not sure how to use that for my purposes.
A policy would do the trick - we had a similar need recently.
Here's an example by just tweaking the AddAuthorization call for just one specific user:
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("SpecificUserPolicy", policy =>
policy.RequireAssertion(context =>
context.User.Identity?.Name?.Equals("AD\\myuser", StringComparison.OrdinalIgnoreCase) ?? false));
options.DefaultPolicy = options.GetPolicy("SpecificUserPolicy");
// By default, all incoming requests will be authorized according to the default policy.
options.FallbackPolicy = options.DefaultPolicy;
});
You could build on that and implement further checks/config.