ASP.NET Core v2.1: Authorization
This tutorial will show you how assign roles to your users, and use those claims to authorize or deny a user to access certain routes in the app. We recommend you to Log in to follow this quickstart with examples configured for your account.
I want to integrate with my app15 minutes
I want to explore a sample app2 minutes
Get a sample configured with your account settings or check it out on Github.
ASP.NET Core supports Role based Authorization which allows you to limit access to your application based on the user's role. This tutorial shows how to add role information to the user's ID token and then use it to limit access to your application.
Create a Rule to Assign Roles
Create a rule that assigns the following access roles to your user:
- An admin role
- A regular user role
To assign roles, go to the New rule page. In the Access Control section, create an empty rule.
Use the following code for your rule:
Update the code to check for your own email domain, or match your custom condition.
This quickstart guide uses
https://schemas.quickstarts.com/roles for the claim namespace. We recommend that you use a namespace related to your own Auth0 tenant for your claims, for example,
Is the user prompted for login credentials?
Restrict Access Based on User Roles
Configure the OIDC authentication handler registration inside your ASP.NET application to inform it which claim in the ID Token contains the role information. Specify the
TokenValidationParameters. The value you specify must match the namespace you used in your rule.
You can use the Role based authorization mechanism to make sure that only the users with specific roles can access certain actions. Add the
[Authorize(Roles = ?)] attribute to your controller action.
The sample code below restricts the action only to users who have the