Microsoft Docs

Your guide to Microsoft technologies

ASP.NET Core Authorization

Authorization is the process of determining whether a user is permitted to perform an action or access a resource. ASP.NET Core provides a flexible and extensible authorization system that integrates seamlessly with authentication.

Understanding Authorization Concepts

Authorization decisions are typically made based on user identity, roles, claims, or custom policies.

  • Roles: Users can be assigned to one or more roles (e.g., "Admin", "Editor").
  • Claims: Claims represent attributes about a user (e.g., "Name", "Country", "Department").
  • Policies: Policies are a more sophisticated way to express authorization requirements, often combining roles, claims, or custom logic.

Attribute-Based Authorization

The simplest form of authorization is using attributes directly on controllers or action methods. This is ideal for straightforward requirements.


[Authorize(Roles = "Admin")]
public IActionResult AdminPanel()
{
    // ...
    return View();
}

[Authorize(Policy = "RequireAdministratorRole")]
public IActionResult SensitiveData()
{
    // ...
    return View();
}

Policy-Based Authorization

Policy-based authorization offers greater flexibility. You define policies in your application's startup configuration and then reference them using the [Authorize] attribute.

Configuring Policies in Startup.cs (or Program.cs)


services.AddAuthorization(options =>
{
    options.AddPolicy("RequireAdministratorRole", policy =>
        policy.RequireRole("Administrator"));

    options.AddPolicy("EmployeeOnly", policy =>
        policy.RequireAssertion(context =>
        {
            // Custom logic to check for employee status
            return context.User.HasClaim(c => c.Type == "EmployeeId");
        }));
});

Using Policies in Controllers


[Authorize(Policy = "RequireAdministratorRole")]
public IActionResult ManageUsers()
{
    // ...
    return View();
}

[Authorize(Policy = "EmployeeOnly")]
public IActionResult ViewEmployeeProfile()
{
    // ...
    return View();
}

Authorization Services and Interfaces

ASP.NET Core provides services like IAuthorizationService for programmatic authorization within application logic, allowing for dynamic authorization decisions.


public class MyController : Controller
{
    private readonly IAuthorizationService _authorizationService;

    public MyController(IAuthorizationService authorizationService)
    {
        _authorizationService = authorizationService;
    }

    public async Task EditDocument(int documentId)
    {
        var document = _documentService.GetDocument(documentId);
        var authorizationResult = await _authorizationService.AuthorizeAsync(User, document, "EditDocumentPolicy");

        if (authorizationResult.Succeeded)
        {
            // User is authorized to edit
            return View(document);
        }
        else
        {
            return Forbid(); // Or return Challenge()
        }
    }
}

Authorization Handlers

Custom authorization logic can be implemented by creating AuthorizationHandler classes that evaluate requirements.

Best Practices

  • Always authorize based on the principle of least privilege.
  • Use policies for complex authorization scenarios.
  • Keep authorization logic separate from business logic where possible.
  • Thoroughly test your authorization rules.