Search code examples
asp.net-corekeycloakroles

ASP.NET Core 8 + Keycloak: Role-based Authorization for Derived Controllers without Code Duplication

I'm working with ASP.NET Core 8 and Keycloak (version 24) for authentication and role-based access control.

Scenario: I have a base controller that implements basic CRUD operations for multiple object types, e.g.:

public class BaseController<T> : Controller
{
    [HttpGet]
    public virtual async Task<IActionResult> Get()
    {
        // Base implementation
    }

    // Other CRUD methods
}

For each specific object type, I have a derived controller that only provides the CRUD operations for that specific type, e.g.:

public class ObjectAController : BaseController<ObjectA>
{
    // Inherits CRUD operations from BaseController
}

Now, I’ve introduced Keycloak roles like Read_ObjectA, Read_ObjectB, Write_ObjectA, etc.

Problem: I need to enforce authorization for each object type with its respective role. For example, ObjectAController should allow access only to users with the Read_ObjectA or Write_ObjectA roles. However, I want to avoid duplicating the methods in each derived controller just to apply the [Authorize] attribute.

Question: Is there a way to apply authorization generically in the base controller so that I don't have to duplicate methods in each derived controller just to specify the correct role? Would writing a custom authorization service be a better solution here, and if so, how could I implement this cleanly?

A simple but tedious approach would be something like this in the derived controller:
[Authorize(Roles = "Read_ObjectA")]
[HttpGet]
public override async Task<IActionResult> Get()
{
    return await base.Get();
}

This feels redundant since I'm only adding the [Authorize] attribute in each derived controller, while the logic remains in the base controller.

Solution

  • I think you just need implement CustomAuthorizeAttribute

        public class CustomAuthorizeAttribute : Attribute, IAuthorizationFilter
    {
        private readonly string[] _roles;

        public CustomAuthorizeAttribute(params string[] roles)
        {
            _roles = roles;
        }

        public void OnAuthorization(AuthorizationFilterContext context)
        {
            // Get the controller name
            var controllerName = context.RouteData.Values["controller"]?.ToString();

            var user = context.HttpContext.User;
            var userRoles = user.Claims.Where(c => c.Type == "role").Select(c => c.Value);

            // Recombine the "Read" to "Read_ObjectA"
            if (!_roles.Any(role => userRoles.Contains(role+"_"+ controllerName)))
            {
                context.Result = new ForbidResult(); // User is not authorized
            }
        }
    }

    Then Use like

            [CustomAuthorize("Read")]
        //[CustomAuthorize("Read","Write")]
        [HttpGet]
        public virtual async Task<IActionResult> Get()
        {
            // Base implementation
        }