Toolliyo | Developer Learning Platform

Authorization in ASP.NET Core — Roles, Policies, Claims

Learn Authorization in ASP.NET Core — Roles, Policies, Claims in our free ASP.NET Core Complete Tutorial (ShopNest) series. Step-by-step explanations, examples, and interview tips on Toolliyo Academy.

Target keyword: authorization asp.net core · Read time: ~30 min · .NET: 8 / 9 · Project: ShopNest Admin Dashboard with Granular Permissions

Introduction

ShopNest Admin Dashboard shows different menus and actions per role — authorization in ASP.NET Core supports simple roles, claims, policies with custom handlers, and resource-based checks via IAuthorizationService.

After this article you will

Apply [Authorize] with roles and policies
Build custom IAuthorizationRequirement handlers
Use IAuthorizationService for resource checks
Combine policies and programmatic checks
Render role-specific admin navigation

Prerequisites

Article 30 — Authentication — Cookie and JWT
ShopNest.Web with EF Core and configuration from Module 3

Concept deep-dive

// Role-based
[Authorize(Roles = "Admin,Manager")]
public IActionResult Reports() => View();

// Policy-based
builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("CanManageProducts", policy =>
        policy.RequireRole("Admin", "Vendor")
              .RequireClaim("Permission", "Products.Write"));
});

public class MinimumAgeRequirement : IAuthorizationRequirement
{
    public int MinimumAge { get; }
    public MinimumAgeRequirement(int age) => MinimumAge = age;
}

public class MinimumAgeHandler : AuthorizationHandler<MinimumAgeRequirement>
{
    protected override Task HandleRequirementAsync(
        AuthorizationHandlerContext context, MinimumAgeRequirement req)
    {
        var ageClaim = context.User.FindFirst("age")?.Value;
        if (int.TryParse(ageClaim, out var age) && age >= req.MinimumAge)
            context.Succeed(req);
        return Task.CompletedTask;
    }
}

Resource-based: await _authz.AuthorizeAsync(User, product, "ProductOwner");

Hands-on — ShopNest Admin Dashboard with Granular Permissions

Policies: CanViewOrders, CanManageProducts, CanAccessAdmin.
_AdminLayout.cshtml shows nav links based on User.IsInRole / policy.
Product edit: authorize user owns product or is Admin.
403 Access Denied page for unauthorized attempts.

Common errors & best practices

[Authorize] without authentication middleware — always 401/redirect loop.
Role strings typo ("Admin " with space) — use constants.
Only attribute auth — sensitive logic in services needs programmatic checks too.

Interview questions

Q: Roles vs policies?
A: Roles are coarse groups; policies combine claims, roles, custom requirements flexibly.

Q: Resource-based auth?
A: Decision depends on the resource instance — "can user X edit product Y?"

Q: IAuthorizationHandler?
A: Evaluates requirements against user + optional resource.

Summary

Roles for coarse access; policies for flexible rules
Custom handlers encode business authorization logic
Admin dashboard uses policy-based menu visibility
Always authorize in services for sensitive operations

Previous: Authentication — Cookie and JWT
Next: JWT with Refresh Tokens

ASP.NET Core Complete Tutorial (ShopNest)