![]() |
| Claim Based Authorization in ASP.NET Core |
Hello Everyone, In this blog we'll get to know everything about Claim Based Authorization. We've already discussed on different types of Authorization in ASP.NET Core. Here are the links to those articles:
- Introduction to Authorization in ASP.NET Core
- Role Based Authorization in ASP.NET Core
- Custom Authorization in ASP.NET Core
- Policy Based Authorization in ASP.NET Core
We're suggesting you to pleasego through these articles to understand Authorization in more detail.
What is Claim Based Authorization
Before understanding Claim Based Authorization, we must know about claims. So let's first understand Claim.
What is a Claim
A claim is a key value pair which tells the system who the user is. For e.g. when we register into a application we provide our personal information like name, email, dob, mobile, gender etc. These all information can be considered as claims, because it is telling the about the user.
In ASP.NET Core either we're are using Token Based or Cookie Based Autheintication, claims can be found under ClaimsPrincipal. However, we've to configure based on our requirement, which additional claims to be present under ClaimsPrincipal. We'll understand how to add claims as well.
Claim Based Authorization is giving access an endpoint or resource to user based on the claims. It basically verifies if the particular user has the corresponding claim. Based on that it allows the user the endpoint.
For e.g. we want an endpoint to be accessible to users of certain age. As we can have DOB in our claim so we can authorize based on the age.
Another example can be based on gender.
There can be many scenarios, we've to identify when to use Claim Based Authorization based on the requirement.
Implement Claim Based Authorization
Before diving into implementation, we've to know how to add claims for a user. Here we'll add claims for ASP.NET Core Identity. If you want to kanow more about ASP.NET Core Identity and how to implement it, you can refer to these below articles.
- Introduction to Authentication and ASP.NET Core Identity
- Authenticate Web API using ASP.NET Core Identity
Now, let's talk about adding claims using ASP.NET Core Identity.
Add User Claims
In ASP.NET Core Identity, there is a table named AspNetUserClaims, here we can add custom claims for a user. By default, it adds UserId, UserName and Email to the claimsPrincipal. However, if needed we can add custom claim as per our requirement.
Note: If you're using OIDC server like Azure AD, you can include include claims in token configuration.
However, we can include Claims from our backend application using Claims Transformation. We'll discuss more about this later sessions.
Here we'll simply add a claim to the AspNetUseClaims table to test our Claims Based Authorization. Let's add a claim named DOB with Value '1969-01-01' for a user.
Add Claim Check
Claim based authorization checks are declared via Policies. We've to specify claims checks using Policies. Let's add a policy having claim check.
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("Is21OrOverOnly", policy =>
policy.RequireAssertion(context =gt; context.User.HasClaim(c =>
c.Type == "DOB" && AgeHelper.CalculateAge(c.Value) >= 21
)
)
);
});
We've registered the above policy in program.cs file. Let's apply the policy to our controller.
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Mvc;
using Microsoft.EntityFrameworkCore;
namespace EmployeeManagement.Controllers
{
[Route("api/[controller]")]
[ApiController]
[Authorize(Policy = "Is21OrOverOnly")]
public class RolesController(RoleManager<IdentityRole> roleManager) : ControllerBase
{
[HttpGet]
public async Task<IActionResult>> GetAll()
{
return Ok(await roleManager.Roles.ToListAsync());
}
}
}
Test the implementation
In the above implementation, the user which is satisfying the above policy requirement will be able to access the Controller action method.
Adding a simple Claim check
We can also use policy.RequireClaim() for a simple claim check. Here is an example:
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("HRMember", policy =>
policy.RequireClaim("Department", "HR")
);
});Above will simply validate the claim value against its name. However we can pass list of string as value. In this scenario only one value must match with the user's claim value.
Conclusion
Here we got to know everything about Claim Based Authorization. We can apply claim check using policy. This implementation can be used for Authorization when we've to apply authorization check using the Claims. It allows us to authorize based on the user information coming from identity.

Comments
Post a Comment