Table of Contents

Namespace Trellis.Authorization

Classes

Actor

Represents the current authenticated user making the request. Contains identity, permissions, forbidden permissions, and contextual attributes used by authorization behaviors.

ActorAttributes

Well-known attribute keys for Attributes used in attribute-based access control (ABAC) checks. Claim-based keys align with Azure Entra ID v2.0 access token claims. Use these constants instead of raw strings to prevent key-casing mismatches.

ResourceLoaderById<TMessage, TResource, TId>

Convenience base class for resource loaders that extract a typed ID from the message and load via a repository's GetByIdAsync method.

SharedResourceLoaderById<TResource, TId>

Shared resource loader that loads a resource by ID. Register one per resource type instead of one ResourceLoaderById<TMessage, TResource, TId> per command.

Interfaces

IActorProvider

Provides the current authenticated actor for authorization behaviors. Implement in the API/ACL layer, typically extracting from HttpContext.User or resolving permissions from a database. Register as scoped in DI.

IAuthorize

Marker interface for commands/queries that require static permissions. Authorization checks verify that the current actor has ALL of the RequiredPermissions before calling the handler.

IAuthorizeResource<TResource>

Declares resource-based authorization that requires a loaded resource. Implemented by the command/query. The pipeline loads the resource via IResourceLoader<TMessage, TResource> and passes it to this method.

IIdentifyResource<TResource, TId>

Declares that this message carries a typed resource identifier that can be extracted for resource-based authorization. Implement alongside IAuthorizeResource<TResource> to use a SharedResourceLoaderById<TResource, TId> instead of a per-command ResourceLoaderById<TMessage, TResource, TId>.

IResourceLoader<TMessage, TResource>

Loads the resource required for resource-based authorization. Registered in DI as scoped (typically depends on DbContext via a repository). Resolved per-request by the pipeline behavior via IServiceProvider.