Role-Based Claims Authorization in ASP.NET Core Identity

Back to: ASP.NET Core Identity Tutorials

Role-Based Claims Authorization in ASP.NET Core Identity

In this article, I will discuss Role-Based Claims Authorization in ASP.NET Core Identity. This is a continuation of our previous article, where we discussed managing role claims, i.e., How to Add or Remove Role Claims in ASP.NET Core Identity.

Role-Based Claims Authorization in ASP.NET Core Identity

Role-based claims authorization in ASP.NET Core Identity is a powerful way to manage user access in an application. It combines the simplicity of Role-Based Authorization with the flexibility of Claims-Based Authorization. This approach allows us to assign roles to users and then use claims to specify the permissions or capabilities of those roles.

In our previous article, we have seen that whenever we add claims for a role, those claims are going to be stored in the following AspNetRoleClaims identity database table.

Setup Role-Based Claim Authorization:

Define policies that specify a user’s claims to access certain resources. In the Program.cs class file, we need to define the policy using the AddAuthorization service that specifies the claims a user must have in order to access certain parts of the application. You need to use the AddPolicy method of the AuthorizationOptions object to define the Claim Policies. We have already added the following configurations to our Program.cs class file.

builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("EditRolePolicy", policy => policy.RequireClaim("Edit Role"));
    options.AddPolicy("DeleteRolePolicy", policy => policy.RequireClaim("Delete Role"));
});

Note: There is no difference in adding claims to users or adding to roles. The reason is that when we add claims to roles and assign that role to a user, the claims assigned with the roles are automatically assigned to the user.

Now, you can decorate the Policy with the controller or action methods. So, please decorate the EditUser action method with [Authorize(Policy = “EditRolePolicy”)] and the DeleteUser action method of the Administration controller with [Authorize(Policy = “DeleteRolePolicy”)] as shown in the below image.

Now, if you try to Delete a User using the role for which Delete Claim is not assigned, then you will get the following Access Denied error page:

In the next article, I will discuss External Identity Providers in ASP.NET Core Identity. In this article, I explain Role Claims-Based Authorization in ASP.NET Core Identity. I hope you enjoy this article, Role Claims-Based Authorization in ASP.NET Core Identity.

Dot Net Tutorials

About the Author: Pranaya Rout

Pranaya Rout has published more than 3,000 articles in his 11-year career. Pranaya Rout has very good experience with Microsoft Technologies, Including C#, VB, ASP.NET MVC, ASP.NET Web API, EF, EF Core, ADO.NET, LINQ, SQL Server, MYSQL, Oracle, ASP.NET Core, Cloud Computing, Microservices, Design Patterns and still learning new technologies.

4 thoughts on “Role-Based Claims Authorization in ASP.NET Core Identity”

mohammed
May 30, 2024 at 11:56 am

Thank you for all the effort you made. I benefited a lot and created the ASPNETCoreIdentityDemo project through the explanation.
Thanks again

Ibrahim Khalil Shakik
September 20, 2024 at 11:05 pm

Thank you for all the effort you made. I benefited a lot and created the ASPNETCoreIdentityDemo project through the explanation.
Thanks again

1. Ibrahim Khalil Shakik
  September 20, 2024 at 11:54 pm
  
  But not login. showing error. why I don’t know.
  
  1. Ibrahim Khalil Shakik
    September 21, 2024 at 12:27 am
    
    After deleting migration and .vs now working.