Policy-based Authorization in ASP.Net Core (with Custom Authorization Handler)

preview_player
Показать описание
In my last video, I walked through how to implement Role-based authorization in an ASP.Net Core application. In this video, I will walk through how to implement Policy-based authorization in an ASP.Net Core application.

With role-based authorization, flexibility is very limited. It is just a role can either access a resource or it cannot. If we want to do some custom logic irrespective of the role and based on that authorize an identity, we need policy-based authorization.

In policy-based authorization, a policy consists of two main parts:

1. One or more requirements. The requirement of a policy is a data collection the policy handler uses to implement the logic of the policy.
2. And each requirement contains a handler. Most importantly, the handler is responsible for doing the logic for the authorization checks.

Another place where policy-based authorization comes really handy is when you have multiple roles in an application. Passing different permutation and a combination of roles in the AuthorizeAttribute attribute is cumbersome. And we can easily create policy based on multiple role combinations.

Рекомендации по теме
Комментарии
Автор

my friend, you saved my life with a current project. You're amazing

justonegoodtrade
Автор

Excellent explanation. Thank you very much.

xposedcadabiola.o
Автор

Excellent lesson, thank you very much.

nickeax
Автор

Suggestion: Video for when to use Transient, Scoped and Singleton would be really helpful. (on you realworld project experience :) )

saurabhchauhan
Автор

great vid. but unrelated question, what 's the name of the extension that you're using to get when the code was committed last and by whom?

ataaact
Автор

can you kindly tell me how to write authorization handler to keep user with same role i.e. user from editing or deleting each others records

xwqureg
Автор

Thank you very much. Can you also make a video on how to change the user claim after the user is logged in. Need a flexibility to refresh the claims of the user without asking him to log out and login again.

yogeswarank
Автор

good vide, but i have question, what if my Roles are created on the running of the Application, it should not be hard coded here specially when you are using RequireRole function

OsamaALSHABANi
Автор

First of all, great video.
Got a quick question, at 16:58, you replaced the previous policy "AdminAndPowerUser" with the new one
What if I want to keep the previous one as well, so a user who is an Admin but has worked less than 20 years can still have the access?
Could you please help to explain how to implement that? Thanks very much.

yanchenru
Автор

how can we fetch roles from db and use in handler

sav
Автор

My friend it's authorization not authentication.

You can authenticate yourself with bearer token, cookie etc. - just to tell who you are.
You can authorize yourself with policies or roles - check if you're allowed to do something.

genotypek