.NET - Role-Based and Policy-Based Authorization

Role-Based and Policy-Based Authorization in .NET

Authorization is a key aspect of securing any web application. In ASP.NET Core, there are two main authorization strategies: Role-Based Authorization and Policy-Based Authorization. These methods help developers protect routes, resources, or operations depending on the identity and privileges of the user.

What is Authorization in .NET?

Authorization is the process of determining whether a user has permission to perform a certain action or access specific resources. In .NET Core, authorization is implemented using middleware that checks user credentials after authentication.

Difference Between Authentication and Authorization

• Authentication confirms the user's identity.
• Authorization determines what resources a user can access.

Role-Based Authorization in ASP.NET Core

What is Role-Based Authorization?

Role-Based Authorization controls access to resources based on assigned user roles. A user can belong to one or more roles such as Admin, Manager, or User, and the access rules are enforced based on these roles.

Enabling Role-Based Authorization

Make sure your application is configured to use Identity. Here's a basic setup in Startup.cs:

services.AddDefaultIdentity<IdentityUser>(options => options.SignIn.RequireConfirmedAccount = true)
        .AddRoles<IdentityRole>()
        .AddEntityFrameworkStores<ApplicationDbContext>();
    

Assigning Roles to Users

You can create and assign roles to users during application startup or through user registration logic.

var roleManager = serviceProvider.GetRequiredService<RoleManager<IdentityRole>>();
var userManager = serviceProvider.GetRequiredService<UserManager<IdentityUser>>();

if (!await roleManager.RoleExistsAsync("Admin"))
{
    await roleManager.CreateAsync(new IdentityRole("Admin"));
}

var user = await userManager.FindByEmailAsync("admin@example.com");
await userManager.AddToRoleAsync(user, "Admin");
    

Using Role-Based Authorization in Controllers

[Authorize(Roles = "Admin")]
public IActionResult AdminDashboard()
{
    return View();
}
    

Multiple Roles

[Authorize(Roles = "Admin,Manager")]
public IActionResult Dashboard()
{
    return View();
}
    

Policy-Based Authorization in ASP.NET Core

What is Policy-Based Authorization?

Policy-Based Authorization allows more granular control over user permissions. Instead of just checking roles, it can check claims or custom logic.

Defining Policies in Startup

services.AddAuthorization(options =>
{
    options.AddPolicy("AdminOnly", policy =>
        policy.RequireRole("Admin"));
        
    options.AddPolicy("EmployeeOnly", policy =>
        policy.RequireClaim("EmployeeId"));
});
    

Using Policy-Based Authorization in Controllers

[Authorize(Policy = "AdminOnly")]
public IActionResult AdminPanel()
{
    return View();
}

[Authorize(Policy = "EmployeeOnly")]
public IActionResult EmployeePage()
{
    return View();
}
    

Creating Custom Policy Requirements

You can create your own custom requirement by implementing the IAuthorizationRequirement interface.

public class MinimumAgeRequirement : IAuthorizationRequirement
{
    public int MinimumAge { get; }

    public MinimumAgeRequirement(int minimumAge)
    {
        MinimumAge = minimumAge;
    }
}
    

Creating a Handler

public class MinimumAgeHandler : AuthorizationHandler<MinimumAgeRequirement>
{
    protected override Task HandleRequirementAsync(
        AuthorizationHandlerContext context,
        MinimumAgeRequirement requirement)
    {
        var dateOfBirthClaim = context.User.FindFirst(c => c.Type == "DateOfBirth");
        if (dateOfBirthClaim == null)
        {
            return Task.CompletedTask;
        }

        var birthDate = Convert.ToDateTime(dateOfBirthClaim.Value);
        int age = DateTime.Today.Year - birthDate.Year;

        if (birthDate > DateTime.Today.AddYears(-age))
        {
            age--;
        }

        if (age >= requirement.MinimumAge)
        {
            context.Succeed(requirement);
        }

        return Task.CompletedTask;
    }
}
    

Registering the Custom Handler

services.AddSingleton<IAuthorizationHandler, MinimumAgeHandler>();

services.AddAuthorization(options =>
{
    options.AddPolicy("AtLeast18", policy =>
        policy.Requirements.Add(new MinimumAgeRequirement(18)));
});
    

Using Custom Policy

[Authorize(Policy = "AtLeast18")]
public IActionResult AgeRestrictedContent()
{
    return View();
}
    

Combining Roles and Policies

You can combine both strategies to fine-tune access control:

services.AddAuthorization(options =>
{
    options.AddPolicy("AdminWithEmployeeId", policy =>
    {
        policy.RequireRole("Admin");
        policy.RequireClaim("EmployeeId");
    });
});
    

Apply Combined Policy

[Authorize(Policy = "AdminWithEmployeeId")]
public IActionResult SpecialDashboard()
{
    return View();
}
    

Accessing Roles and Claims in Razor Views

@if (User.IsInRole("Admin"))
{
    <p>Welcome Admin!</p>
}

@if (User.HasClaim("EmployeeId", "123"))
{
    <p>Hello Employee 123!</p>
}
    

Benefits of Role-Based vs Policy-Based Authorization

Aspect	Role-Based	Policy-Based
Flexibility	Less flexible	Highly flexible
Use Cases	Simple role-checks like Admin/User	Claims-based access, custom logic
Maintainability	Simple and easy	Complex, but scalable

Best Practices for Authorization in ASP.NET Core

• Use Role-Based Authorization for simple scenarios.
• Leverage Policy-Based Authorization for complex logic.
• Never trust client-side role or claim information.
• Always validate claims server-side.
• Keep authorization logic separate from business logic.

ASP.NET Core offers a rich and extensible framework for securing applications using Role-Based and Policy-Based Authorization. By combining roles, claims, and custom requirements, you can implement fine-grained access control tailored to your application needs. This flexibility not only enhances security but also improves the maintainability and scalability of your web application.