Tutorials ASP.NET Core Complete Tutorial (ShopNest)

Authorization in ASP.NET Core — Roles, Policies, Claims

Learn Authorization in ASP.NET Core — Roles, Policies, Claims in our free ASP.NET Core Complete Tutorial (ShopNest) series. Step-by-step explanations, examples, and interview tips on Toolliyo Academy.

On this page
Authorization in ASP.NET Core — Roles, Policies, Claims — ShopNest
Article 31 of 75 · Module 4: Authentication & Security · ShopNest Admin Dashboard with Granular Permissions
Target keyword: authorization asp.net core · Read time: ~30 min · .NET: 8 / 9 · Project: ShopNest Admin Dashboard with Granular Permissions

Introduction

ShopNest Admin Dashboard shows different menus and actions per role — authorization in ASP.NET Core supports simple roles, claims, policies with custom handlers, and resource-based checks via IAuthorizationService.

After this article you will

  • Apply [Authorize] with roles and policies
  • Build custom IAuthorizationRequirement handlers
  • Use IAuthorizationService for resource checks
  • Combine policies and programmatic checks
  • Render role-specific admin navigation

Prerequisites

Concept deep-dive

// Role-based
[Authorize(Roles = "Admin,Manager")]
public IActionResult Reports() => View();

// Policy-based
builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("CanManageProducts", policy =>
        policy.RequireRole("Admin", "Vendor")
              .RequireClaim("Permission", "Products.Write"));
});

public class MinimumAgeRequirement : IAuthorizationRequirement
{
    public int MinimumAge { get; }
    public MinimumAgeRequirement(int age) => MinimumAge = age;
}

public class MinimumAgeHandler : AuthorizationHandler<MinimumAgeRequirement>
{
    protected override Task HandleRequirementAsync(
        AuthorizationHandlerContext context, MinimumAgeRequirement req)
    {
        var ageClaim = context.User.FindFirst("age")?.Value;
        if (int.TryParse(ageClaim, out var age) && age >= req.MinimumAge)
            context.Succeed(req);
        return Task.CompletedTask;
    }
}

Resource-based: await _authz.AuthorizeAsync(User, product, "ProductOwner");

Hands-on — ShopNest Admin Dashboard with Granular Permissions

  1. Policies: CanViewOrders, CanManageProducts, CanAccessAdmin.
  2. _AdminLayout.cshtml shows nav links based on User.IsInRole / policy.
  3. Product edit: authorize user owns product or is Admin.
  4. 403 Access Denied page for unauthorized attempts.

Common errors & best practices

  • [Authorize] without authentication middleware — always 401/redirect loop.
  • Role strings typo ("Admin " with space) — use constants.
  • Only attribute auth — sensitive logic in services needs programmatic checks too.

Interview questions

Q: Roles vs policies?
A: Roles are coarse groups; policies combine claims, roles, custom requirements flexibly.

Q: Resource-based auth?
A: Decision depends on the resource instance — "can user X edit product Y?"

Q: IAuthorizationHandler?
A: Evaluates requirements against user + optional resource.

Summary

  • Roles for coarse access; policies for flexible rules
  • Custom handlers encode business authorization logic
  • Admin dashboard uses policy-based menu visibility
  • Always authorize in services for sensitive operations

Previous: Authentication — Cookie and JWT
Next: JWT with Refresh Tokens

FAQ

Claims vs roles?

Roles are a type of claim; policies can require any claim combination.

Deny vs forbid?

Return ForbidResult (403) when authenticated but not authorized.

Questions on this lesson 0

Sign in to ask a question or upvote helpful answers.

No questions yet — be the first to ask!

ASP.NET Core Complete Tutorial (ShopNest)
Course syllabus
Module 1: Foundations
Module 2: Entity Framework Core
Module 3: Dependency Injection & Middleware
Module 4: Authentication & Security
Module 5: Web API
Module 6: Advanced Architecture
Module 7: Testing
Module 8: Deployment & DevOps
Module 9: Real-World Projects
Module 10: Advanced Topics
Toolliyo Assistant
Ask about tutorials, ebooks, training, pricing, mentor services, and support. I use public site content only—not admin or internal tools.

care@toolliyo.com

Need callback? Share your details