ASP.NET Core Authorization

Version: v2.0

Sample Project

Download a sample project specific to this tutorial configured with your Auth0 API Keys.

System Requirements
  • .NET Core SDK 2.0 (Preview 2)
  • .NET Core 2.0 (Preview 2)
  • ASP.NET Core 2.0 (Preview 2)
Show requirements

ASP.NET Core supports Role based Authorization which allows you to limit access of users based on their role in the application. In this tutorial we will look at how you can amend your user's id_token by adding role information and then use that information inside your application to limit a user's access.

This tutorial assumes that you are familiar with Rules.

Create a Rule to assign roles

First, we will create a rule that assigns our users either an admin role, or a user role based on the email domain. To do so, go to the new rule page and create an empty rule. Then use the following code for your rule:

function (user, context, callback) {
  var addRolesToUser = function(user, cb) {
    if ('') > -1) {
      cb(null, ['admin']);
    } else {
      cb(null, ['user']);

  addRolesToUser(user, function(err, roles) {
    if (err) {
    } else {
      context.idToken[""] = roles;     
      callback(null, user, context);

Update the code to check for your own email domain, or match the condition according to your needs. Notice that you can also set more roles other than admin and user, or customize the whole rule as you please.

This quickstart uses for the claim namespace, but it is suggested that you use a namespace related to your own Auth0 tenant for your claims, e.g

For more information on custom claims please see User profile claims and scope.

Restrict an Action Based on a User's Roles

Next you will need to configure the OIDC authentication handler registration inside your ASP.NET application to inform it which claim in the id_token contains the role information. Alter your OIDC authentication handler registration to specify the RoleClaimType inside the TokenValidationParameters. Ensure that this matches the namespace you used inside your Rule.

public void ConfigureServices(IServiceCollection services)
    // Add authentication services
    services.AddAuthentication(options => {
        options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    .AddOpenIdConnectAuthentication("Auth0", options => {
        // ...

        // Configure the scope

        // Set the correct name claim type
        options.TokenValidationParameters = new TokenValidationParameters
            NameClaimType = "name",
            RoleClaimType = ""

        options.Events = new OpenIdConnectEvents
            // handle the logout redirection 
            OnRedirectToIdentityProviderForSignOut = (context) =>
                // ...

At this point the you have integrated with the the Role based authorization mechanism of ASP.NET Core, which means that your can ensure that a user belongs to a particular role by simply decorating your controller actions with the [Authorize(Roles = ?)] attribute.

The sample code below will restrict the particular action only to users who have the "admin" role:

// Controllers/HomeController.cs

[Authorize(Roles = "admin")]
public IActionResult Admin()
  return View();
Previous Tutorial
5. User Profile
Use Auth0 for FREECreate free Account