Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Learn more about Collectives

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Learn more about Teams

Trying to implement policy authorization in a .NET6 Web Api.

I've added in authentication and authorization via the configuration:

builder.AddCredibleApplicationFramework(assemblies);
builder.Services.AddAuthentication(options =>
    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
    options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
.AddJwtBearer(JwtBearerDefaults.AuthenticationScheme,
    options =>
        var tokenValidationSettings = builder.Configuration.GetSection("JwtSettings")
            .Get<TokenValidationSettings>();
        options.TokenValidationParameters = new TokenValidationParameters
            ValidateIssuer = tokenValidationSettings.ValidateIssuer,
            ValidateAudience = tokenValidationSettings.ValidateAudience,
            ValidateIssuerSigningKey = true,
            ValidIssuer = tokenValidationSettings.Issuer,
            IssuerSigningKey =
                new SymmetricSecurityKey(Encoding.ASCII.GetBytes(tokenValidationSettings.SigningKey))
builder.Services.AddAuthorization(options =>
options.AddPolicy("isAdministrator",
    policyBuilder =>
        policyBuilder.AuthenticationSchemes.Add(JwtBearerDefaults.AuthenticationScheme);
        policyBuilder.AddRequirements(new IsAdministratorRequirement());
builder.Services.AddSingleton<IAuthorizationHandler, IsApplicationAdministratorHandler>();
builder.Services.AddDbContext<CDbContext>(options =>
var connection = builder.Configuration.GetConnectionString("conn");
options
    .UseMySql(connection, ServerVersion.AutoDetect(connection))
    .EnableSensitiveDataLogging()
    .EnableDetailedErrors()
    .UseLoggerFactory(loggerFactory);
var app = builder.Build();
if (app.Environment.IsDevelopment())
    app.UseSwagger();
    app.UseSwaggerUI();
app.UseAuthentication();
app.UseAuthorization();
app.UseHttpsRedirection();
app.MapControllers();
app.Run();

The handler success path is executing (the requirement succeeds):

    public class IsApplicationAdministratorHandler : AuthorizationHandler<IsAdministratorRequirement>
        protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
        IsAdministratorRequirement requirement)
            if (context.User.HasClaim(c => c.Type.Equals("applicationAdmin")) ||
            context.User.HasClaim(c => c.Type.Equals("platformAdmin")))
                return Task.FromResult(() => context.Succeed(requirement)); <-- This line returns....
            return Task.FromResult(() => context.Fail());

I am getting 403 even though the handler succeeds.

You are returning a lambda method rather than calling context.Succeed ... A Task method has no return type, when its run sync you usually return Task.Completed – Tseng Jun 17, 2022 at 19:38

You are returning a lambda result rather than calling the actual context method, since your lambda is never executed. Its not necessary in your case, as you can directly call context.Succeed(requirement)

public class IsApplicationAdministratorHandler : AuthorizationHandler<IsAdministratorRequirement>
    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
    IsAdministratorRequirement requirement)
        if (context.User.HasClaim(c => c.Type.Equals("applicationAdmin")) ||
        context.User.HasClaim(c => c.Type.Equals("platformAdmin")))
            context.Succeed(requirement);
            // this isn't strictly necessary, unless you want to fail hard and early 
            // and not give other policy handlers to be evaluated
            context.Fail(requirement)
        return Task.Completed;
        

Thanks for contributing an answer to Stack Overflow!

  • Please be sure to answer the question. Provide details and share your research!

But avoid

  • Asking for help, clarification, or responding to other answers.
  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.