What is the difference between Authorization Claims and Request Parameters in asp.net

  Kiến thức lập trình

What is the difference between using an Authorization Claim or Role, and using the Parameter of a, let’s say, GET?

For example, I want a User to access only his data:

I can have a controller with two GET functions:

First using the parameter:

[HttpGet]
[Authorize]
public async Task<ActionResult<IEnumerable<DataDTO>>> GetData(long userId)
{
    return _context.Data.Select(data => CreateDataDTO(data)).ToListAsync();
}

And according to this answer using the claim:

[HttpGet]
[Authorize]
public async Task<ActionResult<IEnumerable<DataDTO>>> GetData()
{
    //[...]
    var user = (System.Security.Claims.ClaimsIdentity)User.Identity;
    var userId = user.FindFirstValue("UserId");

    return _context.Data.Select(data => CreateDataDTO(data)).ToListAsync();
}

I might answer this myself by asking: Is the only difference, that the one (claim) is getting encoded into a JWT Token, while the other (param) is readable by anyone observing the traffic?

Theme wordpress giá rẻ Theme wordpress giá rẻ Thiết kế website

LEAVE A COMMENT