Chapter 15. Authorization: securing your application

 

This chapter covers

  • Using authorization to control who can use your app
  • Using claims-based authorization with policies
  • Creating custom policies to handle complex requirements
  • Authorizing a request depending upon the resource being accessed
  • Hiding elements from a Razor template that the user is unauthorized to access

In chapter 14, I showed how to add users to an ASP.NET Core application by adding authentication. With authentication, users can register and log in to your app using an email and password. Whenever you add authentication to an app, you inevitably find you want to be able to restrict what some users can do. The process of determining whether a user can perform a given action on your app is called authorization.

On an e-commerce site, for example, you may have admin users who are allowed to add new products and change prices, sales users who are allowed to view completed orders, and customer users who are only allowed to place orders and buy products.

In this chapter, I show how to use authorization in an app to control what your users can do. In section 15.1, I introduce authorization and put it in the context of a real-life scenario you’ve probably experienced: an airport. I describe the sequence of events, from checking in, passing through security, to entering an airport lounge, and how these relate to the authorization concepts you’ll see in this chapter.

15.1. Introduction to authorization

15.2. Authorization in ASP.NET Core

15.3. Using policies for claims-based authorization

15.4. Creating custom policies for authorization

15.5. Controlling access with resource-based authorization

15.6. Hiding elements in Razor templates from unauthorized users

Summary