ASP.NET Core: Authorization

View on Github

ASP.NET Core: Authorization

Gravatar for
By Damien Guard

This tutorial will show you how to assign roles to your users, and use those claims to authorize or deny a user to access certain routes in the app. We recommend that you log in to follow this quickstart with examples configured for your account.

I want to integrate with my app

15 minutes
  1. Create and Assign Roles
  2. Restrict Access Based on User Roles

I want to explore a sample app

2 minutes

Get a sample configured with your account settings or check it out on Github.

View on Github
System requirements: .NET Core 3.1 | .NET 5.0

ASP.NET Core supports Role based Authorization which allows you to limit access to your application based on the user's role. This tutorial shows how to add role information to the user's ID token and then use it to limit access to your application.

To follow the tutorial, make sure you are familiar with Rules.

Create and Assign Roles

Before you can add Role Based Access Control, you will need to ensure the required roles are created and assigned to the corresponding user(s). Follow the guidance explained in assign-roles-to-users to ensure your user gets assigned the admin role.

Once the role is created and assigned to the required user(s), you will need to create a rule that adds the role(s) to the Id Token so that it is available to your backend. To do so, go to the new rule page and create an empty rule. Then, use the following code for your rule:

function (user, context, callback) {
  const assignedRoles = (context.authorization || {}).roles;
  const idTokenClaims = context.idToken || {};
  idTokenClaims[''] = assignedRoles;

  callback(null, user, context);

This quickstart uses for the claim namespace, but it is suggested that you use a namespace related to your own Auth0 tenant for your claims, e.g.

For more information on custom claims, read User profile claims and scope.

Restrict Access Based on User Roles

Configure the OIDC authentication handler registration inside your ASP.NET application to inform it which claim in the ID Token contains the role information. Specify the RoleClaimType inside TokenValidationParameters. The value you specify must match the namespace you used in your rule.

public void ConfigureServices(IServiceCollection services)
    // Some code omitted for brevity...

    // Add authentication services
    services.AddAuthentication(options => {
    .AddOpenIdConnect("Auth0", options => {
        // ...

        // Set the correct name claim type
        options.TokenValidationParameters = new TokenValidationParameters
            NameClaimType = "name",
            RoleClaimType = ""


You can use the Role based authorization mechanism to make sure that only the users with specific roles can access certain actions. Add the [Authorize(Roles = ?)] attribute to your controller action.

The sample code below restricts the action only to users who have the admin role:

// Controllers/HomeController.cs

[Authorize(Roles = "admin")]
public IActionResult Admin()
    return View();
Use Auth0 for FREE