Skip to main content

ASP.NET Core Check Middleware (ReBAC)

In addition to the pattern described by the Aserto Middleware, in which each route is authorized by its own policy module, the check middleware can be used to implement Relation-Based Access Control (rebac) in which authorization decisions are made by checking if a given subject has the necessary permission or relation to the object being accessed.

This is achieved using the Check attribute of the CheckMiddleware.

A check call needs three pieces of information:

  • The type and key of the object.
  • The name of the relation or permission to look for.
  • The type and key of the subject. When omitted, the subject is derived from the middleware's Identity with type "user".

Installation

Aserto.AspNetCore.Middleware is provided as a NuGet package.

It can be installed:

  • Using Package Manager:
Install-Package Aserto.AspNetCore.Middleware
  • Using .NET CLI
dotnet add package Aserto.AspNetCore.Middleware

Configuration

The following configuration settings are required for Aserto.AspNetCore middleware to run with Topaz. You can add them to your appsettings.json:

// appsettings.json

"Aserto": {
"ServiceUrl": "https://localhost:8282",
"PolicyName": "YOUR_POLICY_NAME",
"PolicyRoot": "YOUR_POLICY_ROOT"
}

These settings can be retrieved from the Policy Settings page of your Aserto account.

The middleware accepts the following optional parameters:

Parameter nameDefault valueDescription
EnabledtrueEnables or disables Aserto Authorization.
ServiceUrlhttps://authorizer.prod.aserto.com:8443Sets the URL for the authorizer endpoint.
Decision"allowed"The decision that will be used by the middleware when creating an authorizer request.

Usage

To use the check middleware in the Startup.cs you will need to add the check options and allow the service to add the check authorization:

            CheckOptions checkOptions = new CheckOptions();
Configuration.GetSection("Aserto").Bind(checkOptions.BaseOptions);
// Adding the check middleware
services.AddAsertoCheckAuthorization(checkOptions,
authorizerConfig =>
{
Configuration.GetSection("Aserto").Bind(authorizerConfig);
});

After the initialization in your controllers you can attach the check attribute to a method as show in the example bellow:

        [HttpPost]        
[Check(objectID: "resource-creators", objectType: "resource-creator", relation: "member")]

The todo-dotnet-v2 example highlights the usage of the ASP.NET Core Aserto middleware next to the ASP.NET Core Check Middleware.