How to define authorization policy?

Question

I get some idea about the policy based authorization in .NET 6.0 based on Microsoft article. https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-6.0

The article mentioned about to hard code the policy in the authorization attribute. I have REST API' and I want to assign permissions to them in some configuration for example in file and how can I can define the policy in the configuration what ingredients it should include so that I can load the policy from the file and then apply on startup to the authorization attribute. How to apply it to authorization attribute I see the following link Bind AuthorizationPolicy to Controller/Action without using AuthorizeAttribute

I am here only interested how I can define the polices in the configuration file(appsettings.json) what template or fields it should have. I know It will move it to database later but I need it for the proof of concepts. I am not sure do we really need to define the policy or we can define the permissions per API and then create policy automatically based on the API permission? Any help in this context will be appreciated.

Regards, IK

Answer 1

I tried as below :

            var policylist = new List<AuthOption>();
            Configuration.GetSection("PolicyList").Bind(policylist);            
            services.AddAuthorization(options => {
                policylist.ForEach(x =>
                {
                    options.AddPolicy(x.PolicyName, policy =>
                     {                         
                         x.Requirement.ForEach(y =>
                         {                             
                             Type type = Type.GetType(System.Reflection.MethodBase.GetCurrentMethod().DeclaringType.Namespace+"."+y.RequirementName);
                             if (y.Inputs!=null)
                             {
                                 var requirement = (IAuthorizationRequirement)Activator.CreateInstance(type,y.Inputs);
                                 policy.AddRequirements(requirement);
                             }
                             else
                             {
                                 var requirement = (IAuthorizationRequirement)Activator.CreateInstance(type);
                                 policy.AddRequirements(requirement);
                             }                       
                             
                         }); 
                     });
                });
            });

added some class:

public class AuthOption
    {
        public AuthOption()
        {
            Requirement = new List<Requirement>();
        }
        public string PolicyName { get; set; }
       
        public List<Requirement> Requirement { get; set; }
    }
    public class Requirement
    {
        public string RequirementName { get; set; }
        public string Inputs { get; set; }
        
    }
    public class MinimumAgeRequirement : IAuthorizationRequirement
    {
        public MinimumAgeRequirement(string minimumAge) =>
            MinimumAge = minimumAge;

        public string MinimumAge { get; }
    }
    public class AnotherRequirement : IAuthorizationRequirement
    {
        
    }

in appsettings.json:

"PolicyList": [
    {
      "PolicyName": "policy1",
      "Requirement": [
        {
          "RequirementName": "MinimumAgeRequirement",
          "Inputs": "21"
        },
        {
          "RequirementName": "AnotherRequirement"
          
        }
      ]
    },

    {
      "PolicyName": "policy2",
      "Requirement": [
        {
          "RequirementName": "AnotherRequirement"
        }        
      ]
    }

  ]

Result: