Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Authorization now includes code configured policy support. #22
ASP.NET authorization now supports code based policies. We provide implementations to support claims based authorization and the ability to express your own policies in code. An authorization policy must contain one or more requirements.
Policy configuration is done within
A simple policy to check for the presence of a claim would be configured as follows
and would be applied as
You can also specify a list of comma separated values as part of the claim requirement, for example
which would pass authorization if the Permissions claim had a value or either Read or Update.
A more complicated requirement would involve implementing IAuthorizationRequirement and an AuthorizationHandler. For example if your identity had a DateOfBirth claim and you wanted to implement a minimum age requirement it could look like
You could then configure it
and apply it via
Finally you can use policy to limit the authentication schemes checked during authorization, for example
would only allow requests which provide an identity to Bearer middleware to access the resource behind them.
referenced this issue
May 8, 2015
How can you manually check whether a User meets a given AuthorizationPolicy, outside of the AuthorizeAttribute?
Given that AuthorizationOptions can be injected, is there something like