Area

Authorization

Authorization Home page

The Authorization Area of the Owin Framework

This area of the Owin Framework is concerned with restricting access to your website or web services. The way this works is as follows:

  1. You must add middleware to the Owin pipeline that implements IMiddleware<IIdentity>. This middleware will identify the caller and add an instance of IIdentity to the request context. There are a few useful implemntations for this in the Owin Framework or you can write an implementation that is specific to your needs.
  2. You must add middleware to the Owin pipeline that implements IMiddleware<IAuthorization>. This middleware will use the IIdentity instance in the request context to identify the caller, check this identities permissions and return a 403 response if the user is not permitted. You will most often use the standard Owin Framework implementation, but you can easily write your own as well.
  3. You must register an impementation of IIdentityData with the IoC container. This will be used to get the permissions associated with the caller's identity. The Owin Framework contains an implementation of this that uses the Prius ORM to store identity data in a relational database. You can also write your own implementation if you want custom behavior.
  4. Middleware that is downstream of Authorization must specify the permission required to execute this request. The Authorization middleware will use this permission to allow or deny the request. Standard Owin Framework middleware such as the Static Files middleware can be configured with a required permission. The Pages middleware allows permissions to be defined on each page and each service endpoint. If you write your own middleware you need to get an instance of IUpstreamAuthorization during the routing phase or request processing and specify the required permission for the request. Your code does not have to do anything other than set the name of the required permission, everything else will be handled by the other components mentioned above.
  5. You can optionally include the Owin Framework standard authorization UI middleware. This middleware will display a user interface inside a <div> element on a page of your website. This UI allows authorized users to manage users, groups, roles and permissions.

Further reading

The Authorization repository

Related Projects