Role-Based Authorization
Discover how role-based authorization is implemented in ASP.NET Core.
Role-based authorization is, perhaps, the best-known type of authorization. When it's applied to any endpoint, only the users assigned to any of the specified roles are allowed to access it. Otherwise, no access is given.
Role-based authorization and JWT
There is no strongly-defined standard of how user roles are defined in a JWT. However, a common way of sharing user roles is to have a role
claim that is mapped to an array of individual role names in the JWT payload.
Here is an example of a JWT payload:
{"nbf": 1671040821,"exp": 1671044421,"iss": "https://localhost:5001","client_id": "aspNetCoreAuth","sub": "14556fa4-52aa-4e9c-9f59-27e68fa045cc","auth_time": 1671040819,"idp": "local","email": "adminuser@example.com","name": "adminuser","role": ["admin","user"],"admin": "true","scope": ["openid","profile"],"amr": ["pwd"]}
In this example, the role
claim can be found in lines 11–14. In this example, there are two roles: admin
and user
. This means that the user for whom this token was issued would be authorized to access any endpoints that require either of these roles. The user will also still be able to access any endpoint that doesn't require either authentication or authorization.
Role-based authorization in ASP.NET Core
Specific ...