Securing APIs with policies

Questions API
,
1

I have an application with Angular front end and .Net core on the back end.
I have created a custom Authorization server. I am able to authenticate and get back an access token.
and I am using JwtBearerDefaults.AuthenticationScheme to validate token on the back end.
How do I go a bout securing my backend APIs with policies.
for example I have an endpoint that requires adming policy with read/write access
then I have another end point with Read only policy.
in the backend I am marking my controllers with
[Authorize(Policy = “ReviewerPolicy”)]
or
[Authorize(Policy = “AdminPolicy”)]

How can I go about doing this using OKTA as my authorization server?

2

I’d follow the guidance here: https://docs.microsoft.com/en-us/aspnet/core/security/authorization/roles?view=aspnetcore-3.1#policy-based-role-checks

And define the roles as an Okta Group, where the group is a role. To use your example, your application would have an “Admins” group and “Reviewers” group. The appropriate users would be assigned to those groups. In your configuration you would define:

services.AddAuthorization(options =>
{
    options.AddPolicy("AdminPolicy",
         policy => policy.RequireRole("Admins"));
    options.AddPolicy("ReviewerPolicy",
         policy => policy.RequireRole("Reviewers"));
});

This would configure the policies you’re using to require that role in the access token.

3

You could also combine the group membership with a scope definition then send the group claim only if the specific role is requested:

https://developer.okta.com/docs/guides/customize-authz-server/create-scopes/

4

Hi @jelbatnigi

You can check out the example here which was done based on https://developer.okta.com/blog/2018/05/11/policy-based-authorization-in-aspnet-core#try-the-new-policy-based-authorization-in-aspnet-core