ASP.NET Core v1.1: Authorization
This tutorial will show you how assign roles to your users, and use those claims to authorize or deny a user to access certain routes in the app. We recommend you to Log in to follow this quickstart with examples configured for your account.
I want to integrate with my app15 minutes
I want to explore a sample app2 minutes
Get a sample configured with your account settings or check it out on Github.
ASP.NET Core supports Role based Authorization which allows you to limit access of users based on their role in the application. In this tutorial we will look at how you can amend your user's ID Token by adding role information and then use that information inside your application to limit a user's access.
Create a Rule to assign roles
First, we will create a rule that assigns our users either an
admin role, or a
user role based on the email domain. To do so, go to the new rule page and create an empty rule. Then use the following code for your rule:
Update the code to check for your own email domain, or match the condition according to your needs. Notice that you can also set more roles other than
user, or customize the whole rule as you please.
This quickstart uses
https://schemas.quickstarts.com/roles for the claim namespace, but it is suggested that you use a namespace related to your own Auth0 tenant for your claims, e.g
Restrict an Action Based on a User's Roles
Next you will need to configure the OIDC middleware registration inside your ASP.NET application to inform it which claim in the ID Token contains the role information. Alter your OIDC middleware registration to specify the
RoleClaimType inside the
TokenValidationParameters. Ensure that this matches the namespace you used inside your Rule.
At this point the you have integrated with the Role based authorization mechanism of ASP.NET Core, which means that your can ensure that a user belongs to a particular role by simply decorating your controller actions with the
[Authorize(Roles = ?)] attribute.
The sample code below will restrict the particular action only to users who have the "admin" role: