Fine-grained authorization for your ASP.NET apps

using Microsoft.AspNetCore.Authorization;
using Aserto.AspNetCore.Middleware.Policies;
using Aserto.AspNetCore.Middleware.Extensions;

public void ConfigureServices(IServiceCollection services) {
  services.AddAsertoAuthorization(options => 
    Configuration.GetSection("Aserto").Bind(options));
  services.AddAuthorization(options => {
    var policy = new AuthorizationPolicyBuilder(
      CookieAuthenticationDefaults.AuthenticationScheme);
    policy.AddRequirements(new AsertoDecisionRequirement());
    options.DefaultPolicy = policy.Build();
  });
  services.AddControllersWithViews();
}

Access controls in ASP.NET

Speak with an engineer

Authorization in ASP.NET

.NET is a developer platform made up of tools, programming languages, and libraries for building web, console, and other types of applications. ASP.NET extends the .NET platform with tools and libraries specifically for building web apps. Aserto is an application authorization platform that brings secure, distributed, auditable access management to ASP.NET apps.

Built on trusted open-source CNCF projects like Open Policy Agent (OPA) and Open Container Initiative (OCIv2), Aserto brings role-based access control (RBAC), attribute-based access control (ABAC), and relationship-based access controls (ReBAC) to ASP.NET applications.

Why use Aserto over Microsoft.AspNetCore.Authorization?

There are a few key differences that set Aserto apart from the AspNetCore authorization library:

Authorize locally, manage centrally

Libraries in ASP.NET are embedded directly into the application. When implementing authorization in a web application, this means each backend-microservice has to define its own authorization policy as well as manage that data independently. It also needs to capture, and handle decision logs, meaning we need to custom build a centralized management plane for a unified audit trail of authorization decisions.

If your application consists of multiple services and runs multiple instances of these services, central management of all the authorization artifacts and decision logs creates a streamlined path to operating a distributed and/or modern microservices architecture.

Separation of concerns

Aserto authorization service extracts authorization logic out of the application code and into a policy that is stored and versioned as its own code artifact. This is called separation of concerns. Separation of concerns enables security engineers to evolve the authorization policy separate from software developers evolving the application code.

Rego, a declarative and flexible open source policy language, is used to author and store authorization logic as policies, or policy-as-code. Policy-as-code removes the need to flip rows in a database or hardwire permission logic into application code.

Users as first-class citizens

Additionally, Aserto treats users and roles as first-class citizens. The user/role directory is continuously synchronized with the Aserto authorizer instances so that Aserto can reason about users and roles as a part of the policy without requiring role resolution as an additional external step.

Having user and role information come from the Aserto directory mitigates the risks of coding errors feeding incorrect data into the decision engine.

Setting things up

To get started, you’ll want to leverage the ASP.Net SDK to add authorization middleware. This package allows ASP.NET applications to use Aserto as the Authorization provider.

Deployment options

The open-source authorizer is an authorization project that uses the Open Policy Agent (OPA) decision engine. Creating a tenant in Aserto will automatically create a corresponding Authorizer instance with which you can develop and test. The ASP.Net SDK uses the gRPC API bindings to make it easy to integrate the Aserto authorizer into ASP.Net apps.

For production workloads, authorizers can be deployed as a sidecars, or microservices right next to your application instances to provide minimal latency and 100% availability tied to your application’s uptime.

Decision logging

Out-of-box decision logging enables transparent auditing for security and compliance. All decisions made by the Aserto authorizer can be easily viewed and tracked via the Aserto control plane.

The Authorizer: Topaz

The Aserto open-source authorizer is known as Topaz. It makes authorization decisions based on three important inputs:

1. Policies from your policy registry

2. Users, attributes, and roles from your identity provider (e.g. Okta, Auth0, etc.) supplemented with application-specific information stored in the Aserto directory
3. Resource context passed by in your application

Any changes made to your hosted directory (i.e. in your IDP or enterprise directory) are automatically synchronized into the Aserto directory. The Aserto control plan pushes updates to the edge authorizer in near real-time, ensuring your decisions are based on up-to-date information.

Aserto comes with the following benefits:

Out-of-the-box support for audit trails, custom roles, RBAC, ABAC, and ReBAC
Open-source authorizer that can be deployed in your cloud today
Use a policy-as-code workflow to build, tag, push, version, and pull policy images just like docker images
Quick onboarding via first-class citizen integrations with your identity provider, artifact registry, logging system, backend programming language, and frontend framework.
Built on top of a trusted open source policy engine, the Open Policy Agent (OPA)

Resources

Built for developers with ♥

Sam Hall

Head of Technology, Metrikus

"Authorization has been a constant worry over the last two years - everyone was scared of it. With Aserto, I'm so much more comfortable with authorization because I can see what's going on. Before, it was a dark art - we had a muddled permission structure. With Aserto, we have clear policies that are easy to implement and obvious to analyze. Aserto has made AuthZ something we're not scared of anymore."

Grant Miller

Co-founder / CEO, Replicated

"B2B SaaS vendors have a huge opportunity going after the enterprise, but only if they meet enterprise expectations, as we've captured in EnterpriseReady.io. Replicated serves 50% of the F100, and we know first-hand that authorization and RBAC are table-stakes for enterprise adoption. It's obvious to me that partnering with Aserto is a far better approach compared to rolling your own and having to reinvent the wheel."

David Kerber

VP of Technology

"Authorization involves really hard problems that I want experts to solve. We like to focus our internal engineering efforts on our customers and their problems. Aserto allows us to do just that, at a small fraction of the cost it would take to build and maintain it ourselves, not to mention the opportunity cost."

Mathias Biilmann Christensen

Co-founder & CEO, Netlify

"As millions of developers and businesses are adopting a Jamstack approach, most modern web applications involve multiple APIs and services. Aserto's promise of separating policies from code could radically simplify the implementation of authorization across the front-end UI and the larger world of back-end functions and endpoints."

Tom Preston-Werner

Co-founder, GitHub

"Building & managing an authorization/RBAC system is a huge pain, especially at enterprise scale. So stop! Aserto has a distributed, millisecond latency, 100% availability API for that. I'm excited to help as an angel investor!"