Authorization in ASP.NET Identity

Authorization in ASP.NET Identity

In this article, I am going to discuss Authorization in ASP.NET Identity. Please read our previous article, where we discussed How to Lockout a User Account in ASP.NET Identity. Here, I will show you How to implement simple Authorization using ASP.NET Identity.

Authorization in ASP.NET Identity:

ASP.NET Identity offers an important user management feature called Authorization. The Authorization feature of ASP.NET Identity enables us to control access to our web application’s resources by determining who can and cannot access them. To illustrate this, let’s consider the following UserController with its two action methods.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;

namespace AspNetIdentityWithNewProject.Controllers
{
    public class UserController : Controller
    {
        //Anonymous User Can Access the SomeActionMethod1
        public ActionResult SomeActionMethod1()
        {
            return View();
        }

        //Anonymous User Can Access the SomeActionMethod2
        public ActionResult SomeActionMethod2()
        {
            // Implementation ... 
            return RedirectToAction("Index", "Home");
        }
    }
}

Now, anyone can access the above two action methods. Now, our business requirement is, we want only authorized users to access the SomeActionMethod2. To achieve this, the Authorize Attribute should be applied to the SomeActionMethod2 action method ensuring that only authenticated users can access it.

Authorize Attribute in ASP.NET Identity:

To restrict access to a resource (such as a controller or action) to authenticated users only, the Authorize Attribute can be applied. By adding this attribute to the SomeActionMethod2 action method, only users who have been authenticated will be able to access it.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;

namespace AspNetIdentityWithNewProject.Controllers
{
    public class UserController : Controller
    {
        //Anonymous User Can Access the SomeActionMethod1
        public ActionResult SomeActionMethod1()
        {
            return View();
        }

        //Only Authorize User Can Access the SomeActionMethod2
        [Authorize]
        public ActionResult SomeActionMethod2()
        {
            // Implementation ... 
            return RedirectToAction("Index", "Home");
        }
    }
}

If a non-authenticated user tries to access the SomeActionMethod2 action method, he will get redirected to the /Account/Login path. This default path is defined in the Startup.Auth.cs class file as shown in the below code. You can change the default value assigned to the LoginPath property in order to redirect non-authenticated users to a custom URL (a custom login page for example).

Authorization in ASP.NET Identity with Examples

If you want to restrict access to all the action methods of the controller instead of only a specific action, you can do it by assigning the Authorize Attribute to that controller as follows.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;

namespace AspNetIdentityWithNewProject.Controllers
{
    //Only Authorize User Can Access the Action Methods of this Controller
    [Authorize]
    public class UserController : Controller
    {
        public ActionResult SomeActionMethod1()
        {
            return View();
        }
        
        public ActionResult SomeActionMethod2()
        {
            // Implementation ... 
            return RedirectToAction("Index", "Home");
        }
    }
}

If you want to restrict access to the whole controller except for one method, you can do it by using the AllowAnonymous Attribute. For example, if we want SomeActionMethod3, which should be accessible to anonymous users, then we need to decorate SomeActionMethod3 with the AllowAnonymous Attribute as follows.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;

namespace AspNetIdentityWithNewProject.Controllers
{
    //Only Authorize User Can Access the Action Methods of this Controller
    [Authorize]
    public class UserController : Controller
    {
        public ActionResult SomeActionMethod1()
        {
            return View();
        }

        public ActionResult SomeActionMethod2()
        {
            // Implementation ... 
            return RedirectToAction("Index", "Home");
        }

        //Anonymous User can access this Action Method
        [AllowAnonymous]
        public ActionResult SomeActionMethod3()
        {
            return View();
        }
    }
}

When you add the AllowAnonymous attribute to an action method, it lets non-authenticated users aaccess it, even if the controller has the Authorize attribute that restricts access. This is useful for granting access to specific actions for users who are not logged in. For example, you could add the AllowAnonymous attribute to the SomeActionMethod3 action so that non-authenticated users can access it without needing to log in first.

Be careful when using the AllowAnonymous attribute on an entire controller. This is because it can override any Authorize attributes that have been applied to the action method. In the code below, even though the Authorize attribute has been applied to SomeActionMethod1 and SomeActionMethod2, non-authenticated users can still access these two action methods. This is because the AllowAnonymous attribute has been applied to the User controller, which overrides any authorize attributes that have been applied to controller action methods.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;

namespace AspNetIdentityWithNewProject.Controllers
{
    //Anonymous User can access all the Action Methods of this Controller
    [AllowAnonymous]
    public class UserController : Controller
    {
        [Authorize]
        public ActionResult SomeActionMethod1()
        {
            return View();
        }

        [Authorize]
        public ActionResult SomeActionMethod2()
        {
            // Implementation ... 
            return RedirectToAction("Index", "Home");
        }
        
        public ActionResult SomeActionMethod3()
        {
            return View();
        }
    }
}

In the next article, I am going to discuss Roles Management in ASP.NET Identity with Examples. Here, in this article, I try to explain Authorization in ASP.NET Identity with Examples. I hope you enjoy this Authorization in ASP.NET Identity article.

Leave a Reply

Your email address will not be published. Required fields are marked *