Claims-Based Authorization in ASP.NET Core

In this tutorial, let us learn how to configure claims-based Authorization in the ASP.NET core. In the last tutorial, we showed you how to Manage Claims in ASP.NET Core Identity. In this tutorial, we show you how to use those claims to protect the apps.

How Claims Based Authorization works

The claims-based authorization works by checking if the user has a claim to access an URL.

In ASP.NET Core we create policies to implement the Claims-Based Authorization. The policy defines what claims that user must process to satisfy the policy. We apply the policy on the Controller, action method, razor page, etc.

Only those users who carry claims, which satisfies the policy allowed to access the resources. Others are redirected to access denied page.

Assign Claims to Users

Claim is a piece of information about the user. It is consists of a Claim type and an optional value. We store it in the form of name-value pair. A Claim can be anything for example Name Claim, Email  Claim, Role Claim, PhoneNumber Claim, etc.

Storing Claims

A User can have any number of claims. The Identity API stores the claims in the AspNetUserClaims table. You can refer to the tutorial how to add claims to users in Identity.

Signing Users In

The Claims are added to the Authentication cookies or JWT bearer token (depending on which one you are using) when the user signs in sucessfully. You can read more about Cookie Authentication in ASP.NET Core & JWT Authentication in ASP.NET Core. The ASP.NET Core Identity uses the Cookie Authentication

These cookies or Tokens are then sent to the client along with the response. The Client needs to send them back with every request made to the server.

The Authentication cookies arrive as cookies. The browser does it automatically for us. But the JWT token needs to be stored somewhere safe by the client. It must include the token in the Authorisation Header on every request made to the server.

Building Authorization Policy Using Claims

In ASP.NET Core, we cannot use claims directly in the Authorize attribute. But instead, we define a Policy. We map the Claim to the Policy using the RequireClaim method.

A Policy defines a collection of requirements, that the user must satisfy. We define the Policy in the ConfigureServices method of the Startup class using the AddAuthoirization extension method.

The following code creates a AdminOnly policy. The policy requires the claim Admin.

Policy with Single Claim

The following policy creates an AdminOnly Policy. The user must have the Admin claim. The value of the Claim does not matter here.

Policy with Claim & Value

The following is the ITOnly Policy, which requires the user the have a claim Permission with the value IT. The Permission claim with any other value is not allowed.

Policy with Multiple Claims

You can chain multiple Claims together as shown below. The SuperIT policy requires user the have Permission claim with Value IT and separate IT claim. The user must satisfy both conditions.

Securing the End Points with Claims

To secure an endpoint, we apply the Policy using the Authorize attribute.

The following example shows how to use policy to secure the SomeSecureAction

Claims Based Authorization Example

We create a project to create Add Claims in ASP.NET Core Identity. We will use that to test claim based authorization

Goto MVCProductsController and add the Policy AdminOnly. Note that we already have AllowAnonymous attribute on the index method. The users are able to view the list of Products, but will not be able to access the Create, Edit, or Delete Page.

Claim based Authorization example in ASP.NET Core

Test the app now. First Register a new user and log in and try to access the Product Details Page. You will see the Access denied page. Go to the Users page and add Admin Claim. You can give any value as you like. Because we are only checking for the Claim and not value. Log out and log in again, you will see the claims now added to the User Object.

References

Source Code

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top