Add Authorization post

g7ed6e · g7ed6e · commit b8c66afe9c25 · 2022-10-28T15:17:37.000+02:00
diff --git a/_posts/2022-10-28-aspnetcore-authorization-support.markdown b/_posts/2022-10-28-aspnetcore-authorization-support.markdown
@@ -0,0 +1,81 @@
+---
+# Layout
+layout: post
+title:  "Introducing ASP.NET Core Authorization support"
+date:   2022-10-28 13:00:00 -0800
+categories: release
+# Author
+author: Guillaume Delahaye (https://github.com/g7ed6e)
+---
+#### Introduction
+Next release of CoreWCF will bring support of ASP.NET Core Authorization to allow developers to use ASP.NET Core builtin authentication middleware such as the `Microsoft.AspNetCore.Authentication.JwtBearer` and apply appropriate authorization policies.
+
+#### Builtin attributes support
+When working with ASP.NET Core MVC usually developers use `[Authorize]` and `[AllowAnonymous]` to decorate actions that require specific authorizations.
+#### Authorize support
+To enable a seamless developer experience we brought the ability to decorate `OperationContract` implementation with the ASP.NET Core Authorize attribute. However we introduced the below limitations to suggest developers to embrace the flexible [Policy-based](https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-6.0) model based on `IAuthorizationRequirement`.
+- `AuthenticationSchemes` property is not supported and will trigger a build warning `COREWCF_02XX`.
+- `Roles` property is not supported and will trigger a build warning `COREWCF_02XX`.
+
+We did not bring support of `[Authorize]` attribute at `ServiceContract` implementation level. 
+#### AllowAnonymous support
+We did not bring support of the `[AllowAnonymous]` attribute as we believe that a strong interface segregation between anonymous and secured operations should be set. Moreover supporting this attribute would imply delaying the authentication step in the pipeline leading to potential DDoS vulnerabilities. Decorating an `OperationContract` implementation with `[AllowAnonymous]` will have no effect and will trigger a build warning `COREWCF_02XX`.
+#### Configuration
+To setup this feature in your CoreWCF application you should follow the below steps. I will assume there that we want to enforce clients are authenticating using a JWT Bearer token issued by an authorization server `https://authorization-server-uri`, the service should be protected by the audience `my-audience` and two policies should be defined, one requiring a scope `read` and another one requiring a scope `write`.
+1. Register and configure JWT Bearer authentication middleware as default `AuthenticationScheme`.
+```csharp
+services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+.AddJwtBearer(options => 
+{
+    options.Authority = "https://authorization-server-uri";
+    options.Audience = "my-audience";
+});
+```
+2. Register authorization policies
+```csharp
+services.AddAuthorization(options => 
+{
+    options.DefaultPolicy = new AuthorizationPolicyBuilder(JwtBearerDefaults.AuthenticationScheme).RequireClaim("scope", "read").Build();
+    options.AddPolicy("WritePolicy", new AuthorizationPolicyBuilder(JwtBearerDefaults.AuthenticationScheme).RequireClaim("scope", "write").Build());
+})
+```
+3. Configure your service to use ASP.NET Core Authentication and Authorization middlewares.
+```csharp
+app.UseServiceModel(builder =>
+{
+    builder.AddService<SecuredService>();
+    builder.AddServiceEndpoint<SecuredService, ISecuredService>(new BasicHttpBinding
+    {
+        Security = new BasicHttpSecurity
+        {
+            Mode = BasicHttpSecurityMode.Transport,
+            Transport = new HttpTransportSecurity
+            {
+                ClientCredentialType = HttpClientCredentialType.InheritedFromHost
+            }
+        }
+    }, "/BasicWcfService/basichttp.svc");
+}
+```
+4. Decorate your service implementation
+```csharp
+[ServiceContract]
+public interface ISecuredService
+{
+    [OperationContract]
+    string ReadOperation();
+    [OperationContract]
+    void WriteOperation(string value);
+}
+
+public class SecuredService : ISecuredService
+{
+    [Authorize]
+    public string ReadOperation() => "Hello world";
+    
+    [Authorize(Policy = "WritePolicy")]
+    public void WriteOperation(string value) { } 
+}
+```
+#### Conclusion
+CoreWCF brings companies a path to extend the life expectancy of legacy WCF services supporting more up to data security standards and programming patterns well known from developers.
