What is the difference between using an Authorization Claim or Role, and using the Parameter of a, let’s say, GET?
For example, I want a User to access only his data:
I can have a controller with two GET functions:
First using the parameter:
[HttpGet]
[Authorize]
public async Task<ActionResult<IEnumerable<DataDTO>>> GetData(long userId)
{
return _context.Data.Select(data => CreateDataDTO(data)).ToListAsync();
}
And according to this answer using the claim:
[HttpGet]
[Authorize]
public async Task<ActionResult<IEnumerable<DataDTO>>> GetData()
{
//[...]
var user = (System.Security.Claims.ClaimsIdentity)User.Identity;
var userId = user.FindFirstValue("UserId");
return _context.Data.Select(data => CreateDataDTO(data)).ToListAsync();
}
I might answer this myself by asking: Is the only difference, that the one (claim) is getting encoded into a JWT Token, while the other (param) is readable by anyone observing the traffic?