This article is intended for .Net Core. See here how to do that in .Net Framework !
I recently discovered that customizing the Authorize attribute validation method in .Net Core is now based on policy implementations.
At first, it disappointed me, because like any developer, I don’t like to change my habits, but while having a better look inside, it appears to be really a huge and valuable change.
Let’s have a closer look to the policy-base authorization in ASP.Net Core !
In .Net framework, we simply had to inherit AuthorizeAttribute class and override the Authorizecore method.
It’s now totally different in .net Core, as we simply have to implement a Requirement from IAuthorizationRequirement. Let’s create an example.
|
1 2 3 4 5 6 7 8 9 10 11 |
public class MinimumAgeRequirement : IAuthorizationRequirement { public int MinimumAge { get; } public MinimumAgeRequirement(int minimumAge) { MinimumAge = minimumAge; } } |
Once the requirement is created, we need to implement a handler from IAuthorizationHandler.
|
1 2 3 4 5 6 7 8 9 10 11 |
public class MinimumAgeHandler : AuthorizationHandler<MinimumAgeRequirement> { protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, MinimumAgeRequirement requirement) { // Add your logic here to check the age of your user. return Task.CompletedTask; } } |
The last thing to do to register your policy to the options of your services.
|
1 2 3 4 5 6 7 |
services.AddAuthorization(options => { options.AddPolicy("MinimumAgePolicy", policy => policy.Requirements.Add(new MinimumAgeRequirement(18))); }); |
Now apply the policy-base authorization in ASP.Net Core !
MVC controllers
|
1 2 3 4 5 6 7 |
[Authorize(Policy = "MinimumAgePolicy")] public class MinimumAgePolicyController : Controller { public IActionResult Index() => View(); } |
Razor pages
|
1 2 3 4 5 6 7 8 9 |
using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc.RazorPages; namespace AuthorizationPoliciesSample.Pages; [Authorize(Policy = "MinimumAgePolicy")] public class MinimumAgePolicyModel : PageModel { } |
Endpoints
|
1 2 3 4 |
app.MapGet("/helloworld", () => "Hello World!") .RequireAuthorization("MinimumAgePolicy"); |
For a dynamic generation of policies, you can implement IAuthorizationPolicyProvider.
Conclusion
Policy-based authorization in ASP.NET Core provides a powerful and flexible way to manage access control beyond simple role checks. By defining custom policies, requirements, and handlers, developers can enforce fine-grained rules tailored to business needs.
This approach not only promotes cleaner code and separation of concerns but also improves maintainability and scalability in larger applications. Whether you’re securing controller actions, Razor Pages, or endpoints, policy-based authorization equips you with the tools to handle complex authorization scenarios effectively.
As security remains a critical aspect of any application, mastering these concepts is an essential step toward building robust and secure ASP.NET Core applications. With the basics now covered, you’re ready to explore more advanced techniques, like combining multiple requirements or integrating external authorization providers, to further strengthen your app’s security model.