ASP .NET 5 MVC 6 Identity 3 Roles Claims Groups [closed]

百般思念 提交于 2019-12-02 16:22:15

We were in the same boat here, without much in terms of reading apart from the source of course...

We ended up implementing Policies. Policies being a group of Claims that are required for authorization to be satisfied. these Policies can then be applied to Controllers.

You can define your Policies in Startup.cs, ConfigureServices:

services.AddAuthorization(options =>
    options.AddPolicy("SalesSenior", policy =>
        policy.RequireClaim("department", "sales");
        policy.RequireClaim("status", "senior");

We defined Roles, assigned 1 or more Claims to them and assigned Roles to Users allowing them to be checked against the appropriate Policy on hitting a Controller.

You can inject the IAuthorizationService into a Controller or Attribute as so:

public class SalesDashboardController: Controller
    private readonly IAuthorizationService _authz;

    public VarianceOverviewController(IAuthorizationService authz)
        _authz = authz;

You can then use the IAuthorizationService to check the validity of a users claims...

if (await _authz.AuthorizeAsync(User, "SalesSenior"))
    // User is authorized            

This article was my main source for this stuff and was a great primer for me. Good luck!

If you are looking for a sample project there are not that many out there at the moment. The first place to look is on the aspnet GitHub project pages.

Luckily, the ASP.NET Identity sub-project has a sample project that you can take a look at here, however it may not cover all your requirements. Note that this is using the latest beta.


This thread helped me get something working, but it's sad that this is not better documented.

Here are my attempts at improving that. (

in Startup.cs --> ConfigurationServices

        //Define your policies here, they are strings associated with claims types, that have claim strings... 
        //they need to be in AspNetUserClaims table, user id, department, Dev to be allowed access to the Dev policy
        //add the auth option, below that makes it work, and in the api controller, add the        
        //[Authorize("Dev")] attribute
            options =>
                options.AddPolicy("Dev", policy => { policy.RequireClaim("department", "Dev"); });