Authorization Policies & Claims in ASP.NET Core
๐ก Concept Name
Authorization Policies & Claims
๐ Quick Intro
Authorization in ASP.NET Core determines what actions a user is allowed to perform. You can implement it using roles, claims, and policies for fine-grained access control.
๐ง Analogy / Short Story
Imagine a theme park. A regular ticket gets you in, but a VIP badge (claim) gives access to backstage areas. Security guards (authorization handlers) check your badge and the park rules (policies) to decide where you can go.
๐ง Technical Explanation
ASP.NET Core supports role-based and policy-based authorization. A Claim represents a statement about a user (like "Department: HR"). A Policy is a logical condition that must be satisfied for access.
Policies are defined in Startup.cs (or Program.cs) and evaluated using middleware during the request pipeline. You can also create custom authorization handlers for complex logic.
๐ฏ Purpose & Use Case
- โ Control access based on user roles or attributes
- โ Define flexible security rules using claims and policies
- โ Implement feature-based authorization (like AdminOnly)
- โ Secure APIs using bearer tokens with claims
- โ Enforce compliance with business rules (e.g., "AgeOver18")
๐ป Real Code Example
Defining and using an Authorization Policy:
// Program.cs
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("HRPolicy", policy =>
policy.RequireClaim("Department", "HR"));
});
// Controller
[Authorize(Policy = "HRPolicy")]
public IActionResult HRDashboard()
{
return View();
}
Highlight: Only users with a claim Department: HR will access this route.
โ Interview Q&A
Q1: What is a claim in ASP.NET Core?
A: It's a key-value pair representing a user's identity info (e.g., role, department).
Q2: What is policy-based authorization?
A: Authorization where access is granted based on rules you define in policies.
Q3: Can claims be stored in tokens?
A: Yes, especially in JWT tokens used in API authentication.
Q4: What is an AuthorizationHandler?
A: A custom class to evaluate whether a user meets a specific requirement.
Q5: How are roles different from policies?
A: Roles are simple user groups; policies offer more complex rule logic.
Q6: Where do you define policies in .NET 6+?
A: In the builder.Services.AddAuthorization() section in Program.cs.
Q7: What happens if a user lacks a required claim?
A: They receive a 403 Forbidden response and are denied access.
Q8: Can we chain multiple requirements in a single policy?
A: Yes, using .RequireClaim(), .RequireRole(), etc.
Q9: How do you authorize in Razor Pages?
A: Use the [Authorize] attribute on PageModel or in conventions.
Q10: Is it possible to write dynamic policies?
A: Yes, via custom handlers that use services and context info.
๐ MCQs
๐ MCQs
Q1. Which attribute is used to enforce authorization in controllers?
- [AllowAnonymous]
- [Authorize]
- [RequirePolicy]
- [Security]
Q2. What does a claim represent?
- API method
- Static page
- Controller
- User's identity info like role or department
Q3. Where are authorization policies registered?
- In Startup.cs constructor
- In Configure() method
- In Program.cs
- In the AddAuthorization() method
Q4. What response does ASP.NET Core return for failed authorization?
- 401 Unauthorized
- 200 OK
- 403 Forbidden
- 500 Internal Server Error
Q5. What is used to evaluate custom authorization requirements?
- PolicyBuilder
- HttpContext
- Middleware
- AuthorizationHandler
Q6. How to allow access to anonymous users?
- [Public]
- [NoAuth]
- [AllowAnonymous]
- [Unprotected]
Q7. What is the benefit of policy-based auth over role-based?
- Better performance
- More secure tokens
- More flexible and expressive access rules
- None
Q8. Can policies include multiple claims?
- No
- Only roles
- Yes
- Only in JWT
Q9. Which service registers claim-based policy?
- AddIdentity
- AddPolicy
- ConfigurePolicy
- AddAuthorization
Q10. In Razor Pages, where is [Authorize] applied?
- On cshtml file
- On Startup.cs
- On the PageModel class
- On Layout.cshtml
๐ก Bonus Insight
Policy-based authorization is more maintainable in large apps. You can add custom requirements like "MustBeOver18" or "MustBePremiumUser" using IAuthorizationRequirement.
๐ PDF Download
Need a handy summary for your notes? Download this topic as a PDF!