Using Single Sign-On for Securing Applications in ASP.NET Core/

...

/

Role-Based Authorization

Role-Based Authorization

Discover how role-based authorization is implemented in ASP.NET Core.

We'll cover the following...

Role-based authorization is, perhaps, the best-known type of authorization. When it's applied to any endpoint, only the users assigned to any of the specified roles are allowed to access it. Otherwise, no access is given.

Role-based authorization and JWT

There is no strongly-defined standard of how user roles are defined in a JWT. However, a common way of sharing user roles is to have a role claim that is mapped to an array of individual role names in the JWT payload.

Here is an example of a JWT payload:

Press + to interact
{
  "nbf": 1671040821,
  "exp": 1671044421,
  "iss": "https://localhost:5001",
  "client_id": "aspNetCoreAuth",
  "sub": "14556fa4-52aa-4e9c-9f59-27e68fa045cc",
  "auth_time": 1671040819,
  "idp": "local",
  "email": "adminuser@example.com",
  "name": "adminuser",
  "role": [
    "admin",
    "user"
  ],
  "admin": "true",
  "scope": [
    "openid",
    "profile"
  ],
  "amr": [
    "pwd"
  ]
}

In this example, the role claim can be found in lines 11–14. In this example, there are two roles: admin and user. This means that the user for whom this token was issued would be authorized to access any endpoints that require either of these roles. The user will also still be able to access any endpoint that doesn't require either authentication or authorization.

Role-based authorization in ASP.NET Core

Specific ...