Identity Roles & Claims UI

The Roles Admin UI is enabled when registering the Admin Users UI which enables management APIs and Admin UIs for managing Identity Auth Roles and Claims for both Users and Roles.

Once registered it will be available from the Roles menu item in the Admin UI sidebar which can be used Add and Remove Application Roles:

Custom Application Roles

If your App uses an extended IdentityRole data model, it can be configured with:

services.AddPlugin(
    new AuthFeature(IdentityAuth.For<ApplicationUser,ApplicationRole>(...)));

If it's also configured to use a different PrimaryKey type, it can be configured with:

services.AddPlugin(
    new AuthFeature(IdentityAuth.For<AppUser,AppRole,int>(...)));

IdentityAuth Role Claims

The Edit Role Admin UI also supports Adding and Remove Claims for a Role, e.g:

Any Added or Removed Claims are only applied after clicking Update Role, likewise you can exit the UI without applying any changes by clicking Cancel.

Behavior of Role Claims

Claims added to Roles have similar behavior to having Claims individually applied to all Users with that Role such that when a User is Authenticated they're populated with all claims assigned to their Roles and their individual User Claims.

Validating Claims

Claims are attestations or attributes about a User which we can use to restrict access to APIs to only Users who have been assigned that claim. We could use this to implement a permission system that restricts usage with a todos:write permission with something like:

[ValidateHasClaim("perm", "todos:write")]
class CreateTodo {}

Normally this would result in the generic missing claims error message:

But as the perm claim has a customized error message:

HasClaimValidator.ClaimErrorMessages["perm"]= "`${Value} Permission Required`";

It will generate that Error Response instead:

This is a good example for how to use HasClaimValidator.ClaimErrorMessages to add custom error messages for your own custom claim validations.

Inspecting Claims inside Services

You can also inspect and validate a Users Claim by inspecting the Authenticated ClaimsPrincipal, e.g:

public class TodoServices : Service
{
    public object Any(CreateTodo request)
    {
        var user = Request.GetClaimsPrincipal();
        if (!user.HasClaim("perm", "todos:write"))
            throw HttpError.Forbidden("todos:write Permission Required");
        
        var allUserClaims = user.Claims.ToList();
        //...
    }
}

Edit this page on GitHub