ASP.NET (OWIN): Authorization

By Damien Guard

This tutorial demonstrates how to assign roles to your users, and use those roles to authorize or deny a user to access certain routes in the app. We recommend that you log in to follow this quickstart with examples configured for your account.

I want to integrate with my app

15 minutes

Create and Assign Roles
Restrict an Action Based on a User's Role

I want to explore a sample app

2 minutes

Get a sample configured with your account settings or check it out on Github.

View on Github

System requirements: Microsoft Visual Studio 2017 | Microsoft.Owin.Security.OpenIdConnect v4.1.0 and up

ASP.NET (OWIN) supports Role-based Authorization which allows you to limit access to your application based on the user's role. This tutorial shows how to add role information to the user's ID Token and then use it to limit access to your application.

This tutorial assumes that you are familiar with Rules.

Create and Assign Roles

Before you can add Role Based Access Control, you will need to ensure the required roles are created and assigned to the corresponding user(s). Follow the guidance explained in assign-roles-to-users to ensure your user gets assigned the admin role.

Once the role is created and assigned to the required user(s), you will need to create a rule that adds the role(s) to the Id Token so that it is available to your backend. To do so, go to the new rule page and create an empty rule. Then, use the following code for your rule:

function (user, context, callback) {
  const assignedRoles = (context.authorization || {}).roles;
  const idTokenClaims = context.idToken || {};
  
  idTokenClaims['https://schemas.quickstarts.com/roles'] = assignedRoles;

  callback(null, user, context);
}

Was this helpful?

This quickstart uses https://schemas.quickstarts.com/roles for the claim namespace, but it is suggested that you use a namespace related to your own Auth0 tenant for your claims, e.g. https://schemas.YOUR_TENANT_NAME.com/roles.

For more information on custom claims, read User profile claims and scope.

Restrict an Action Based on a User's Role

Update the OpenID Connect middleware registration inside your Startup class to inform it which claim in the ID Token contains the role information by setting the RoleClaimType property of the TokenValidationParameters. The value you specify must match the claim you used in your rule.

// Startup.cs

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
    //...
    TokenValidationParameters = new TokenValidationParameters
    {
        NameClaimType = "name",
        RoleClaimType = "https://schemas.quickstarts.com/roles"
    },
    //...
});

Was this helpful?

Now you can add a new action to your controller and restrict it by decorating your controller actions with the [Authorize(Roles = ?)] attribute.

The sample code below will restrict the particular action to users who have the "admin" role:

// Controllers/AccountController.cs

[Authorize(Roles = "admin")]
public ActionResult Admin()
{
    return View();
}

Was this helpful?

What can you do next?

Configure other identity providers

Enable multifactor authentication

Learn about attack protection

Learn about rules

Did it work?

Any suggestion or typo?

Edit on GitHub