ASP.NET Core v2.1: Authorization

By Damien Guard

This tutorial will show you how to assign roles to your users, and use those claims to authorize or deny a user to access certain routes in the app. We recommend that you log in to follow this quickstart with examples configured for your account.

I want to integrate with my app

15 minutes

Create and Assign Roles
Restrict Access Based on User Roles

I want to explore a sample app

2 minutes

Get a sample configured with your account settings or check it out on Github.

View on Github

System requirements: .NET Core 2.1

ASP.NET Core supports Role based Authorization which allows you to limit access to your application based on the user's role. This tutorial shows how to add role information to the user's ID token and then use it to limit access to your application.

To follow the tutorial, make sure you are familiar with Rules.

Create and Assign Roles

Before you can add Role Based Access Control, you will need to ensure the required roles are created and assigned to the corresponding user(s). Follow the guidance explained in assign-roles-to-users to ensure your user gets assigned the admin role.

Once the role is created and assigned to the required user(s), you will need to create a rule that adds the role(s) to the Id Token so that it is available to your backend. To do so, go to the new rule page and create an empty rule. Then, use the following code for your rule:

function (user, context, callback) {
  const assignedRoles = (context.authorization || {}).roles;
  const idTokenClaims = context.idToken || {};
  
  idTokenClaims['https://schemas.quickstarts.com/roles'] = assignedRoles;

  callback(null, user, context);
}

Was this helpful?

This quickstart uses https://schemas.quickstarts.com/roles for the claim namespace, but it is suggested that you use a namespace related to your own Auth0 tenant for your claims, e.g. https://schemas.YOUR_TENANT_NAME.com/roles.

For more information on custom claims, read User profile claims and scope.

Restrict Access Based on User Roles

Configure the OIDC authentication handler registration inside your ASP.NET application to inform it which claim in the ID Token contains the role information. Specify the RoleClaimType inside TokenValidationParameters. The value you specify must match the namespace you used in your rule.

public void ConfigureServices(IServiceCollection services)
{
    // Some code omitted for brevity...

    // Add authentication services
    services.AddAuthentication(options => {
        //...
    })
    .AddCookie()
    .AddOpenIdConnect("Auth0", options => {
        // ...

        // Set the correct name claim type
        options.TokenValidationParameters = new TokenValidationParameters
        {
            NameClaimType = "name",
            RoleClaimType = "https://schemas.quickstarts.com/roles"
        };

        //...
    });
}

Was this helpful?

You can use the Role based authorization mechanism to make sure that only the users with specific roles can access certain actions. Add the [Authorize(Roles = ?)] attribute to your controller action.

The sample code below restricts the action only to users who have the admin role:

// Controllers/HomeController.cs

[Authorize(Roles = "admin")]
public IActionResult Admin()
{
  return View();
}

Was this helpful?

What can you do next?

Configure other identity providers

Enable multifactor authentication

Learn about attack protection

Learn about rules

Did it work?

Any suggestion or typo?

Edit on GitHub