Tool for HR, Hiring Managers, and the Leadership Team
Articles

Authorization in ASP.NET Core

Authorization in ASP.NET Core is typically implemented in 4 common ways:

  1. Role-Based Authorization

  2. Policy-Based Authorization

  3. Claims-Based Authorization

  4. Custom Authorization Handler

Let's go step-by-step with real examples 👇

1. Role-Based Authorization (Most Common) 

You restrict access based on user roles like:

  • Admin

  • HR

  • Employee

  • Manager

Example

[Authorize(Roles = "Admin")]
public IActionResult GetUsers()
{
    return Ok("Only Admin can access");
}

Only Admin users can access this API.

Multiple Roles

[Authorize(Roles = "Admin,HR")]
public IActionResult GetCandidates()
{
    return Ok("Admin or HR can access");
}

Now:

✅ Admin → Allowed
✅ HR → Allowed
❌ Employee → Not Allowed

2. Policy-Based Authorization (Recommended for Complex Rules)

First, define policy in Program.cs

builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("HRPolicy",
        policy => policy.RequireRole("HR"));
});

Use policy:

[Authorize(Policy = "HRPolicy")]
public IActionResult GetApplicants()
{
    return Ok("Only HR");
}

Multiple Conditions Policy

builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("ManagerPolicy", policy =>
        policy.RequireRole("Manager")
              .RequireClaim("Department", "IT"));
});

Now:

User must be:

✅ Manager
✅ Department = IT

3. Claims-Based Authorization

Claims are user information stored inside token

Example claims:

  • Role

  • Department

  • Age

  • Country

Example

[Authorize(Policy = "ITDepartment")]
public IActionResult GetITData()
{
    return Ok();
}

Define policy:

builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("ITDepartment",
        policy => policy.RequireClaim("Department", "IT"));
});

Only users with Department = IT can access.

4. Custom Authorization (Advanced)

Create custom requirement:

public class MinimumAgeRequirement : IAuthorizationRequirement
{
    public int Age { get; }

    public MinimumAgeRequirement(int age)
    {
        Age = age;
    }
}

Handler:

public class MinimumAgeHandler : AuthorizationHandler<MinimumAgeRequirement>
{
    protected override Task HandleRequirementAsync(
        AuthorizationHandlerContext context,
        MinimumAgeRequirement requirement)
    {
        var age = int.Parse(context.User.FindFirst("Age").Value);

        if (age >= requirement.Age)
        {
            context.Succeed(requirement);
        }

        return Task.CompletedTask;
    }
}

Register:

builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("AgePolicy",
        policy => policy.Requirements.Add(new MinimumAgeRequirement(18)));
});

Use:

[Authorize(Policy = "AgePolicy")]
public IActionResult GetContent()
{
    return Ok();
}

Middleware Order (Important Interview Question)

Always use:

app.UseAuthentication();
app.UseAuthorization();

Order matters!

Interview Summary 

Authorization Type When to Use
Role Based Simple access
Policy Based Complex rules
Claims Based Token-based access
Custom Handler Advanced logic

One-Line Interview Answer

Authorization in ASP.NET Core can be implemented using Role-based, Policy-based, Claims-based, or Custom authorization handlers.

Receive Employee Referrals and Track For Your Job Post Effective HR Tool
HR and Hiring Manager Tools For the Recruitment
Shortlist Resumes Effectively Hiring HR Tools