This chapter covers
- Understanding authentication and authorization
- Getting an overview of ASP.NET Core Identity
- Implementing authentication via user accounts and JSON Web Tokens
- Enabling authorization with AuthorizeAttribute and IAuthorizationFilter
- Understanding the role-based access control (RBAC) authorization strategy
The ASP.NET Core web API that we’ve built throughout the previous chapters has taken solid shape. Before we publish it, however, we must address some major security permissions problems that we intentionally left open. If we take a closer look at our BoardGamesController, DomainsController, and MechanicsController, we can see that they all have some Post and Delete methods that anyone could use to alter our valuable data. We don’t want that, do we?
For that reason, before even thinking about deploying our web API over the internet and making it publicly accessible, we need to find a way to restrict the use of those methods to a limited set of authorized users. In this chapter, we’ll learn how to do that by using ASP.NET Core Identity, a built-in API that can be used to manage users, roles, claims, tokens, policies, authorization-related behaviors, and other features.