Role-Based Authorization
Restrict endpoints by user roles.
Authentication Versus Authorization
Authentication answers "who are you?". Authorization answers "what are you allowed to do?".
The simplest authorization model in ASP.NET Core is role-based: a user belongs to roles, and endpoints require specific roles.
// User has roles: admin, editor
// Endpoint requires: adminWhere Roles Come From
A role is just a claim of type ClaimTypes.Role. When you issue a JWT, add one role claim per role the user holds.
var claims = new List<Claim>
{
new Claim(ClaimTypes.NameIdentifier, user.Id.ToString()),
new Claim(ClaimTypes.Role, "admin"),
new Claim(ClaimTypes.Role, "editor")
};All lessons in this course
- Role-Based Authorization
- Claims-Based Authorization
- Policy-Based Authorization
- Custom Authorization Requirements