ASP.NET Authorize
last modified April 3, 2025
In this article, we explore the Authorize attribute in ASP.NET 8. This attribute is essential for securing web applications and APIs by controlling access.
ASP.NET is a cross-platform, high-performance framework for building modern web applications. The Authorize attribute helps implement authentication and authorization.
Basic Definition
The Authorize attribute in ASP.NET restricts access to controllers or actions to authenticated users. It can also specify required roles or policies.
When applied to a controller or action method, Authorize checks if the current user is authenticated. If not, it returns a 401 Unauthorized status code.
Authorize is part of ASP.NET's security system, which integrates with various authentication schemes. It works with cookie-based auth, JWT tokens, and more.
ASP.NET Authorize Example
The following example demonstrates a secure Web API controller using Authorize.
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new()
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = builder.Configuration["Jwt:Issuer"],
ValidAudience = builder.Configuration["Jwt:Audience"],
IssuerSigningKey = new SymmetricSecurityKey(
Encoding.UTF8.GetBytes(builder.Configuration["Jwt:Key"]))
};
});
builder.Services.AddAuthorization();
builder.Services.AddControllers();
var app = builder.Build();
app.UseAuthentication();
app.UseAuthorization();
app.MapControllers();
app.Run();
This sets up an ASP.NET application with JWT bearer token authentication. The
UseAuthentication and UseAuthorization middleware
are required for the Authorize attribute to work.
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
[ApiController]
[Route("api/[controller]")]
[Authorize]
public class OrdersController : ControllerBase
{
private static List<Order> _orders = new()
{
new Order(1, "Laptop", 2, 1999.98m),
new Order(2, "Monitor", 1, 299.99m)
};
[HttpGet]
public IActionResult GetAllOrders()
{
return Ok(_orders);
}
[HttpGet("{id}")]
public IActionResult GetOrderById(int id)
{
var order = _orders.FirstOrDefault(o => o.Id == id);
if (order == null) return NotFound();
return Ok(order);
}
[HttpGet("admin")]
[Authorize(Roles = "Admin")]
public IActionResult GetAdminData()
{
return Ok("This is sensitive admin data");
}
}
public record Order(int Id, string ProductName, int Quantity, decimal Total);
This controller demonstrates three different authorization scenarios. The
controller-level [Authorize] requires authentication for all
actions.
The first two methods are accessible to any authenticated user. The third method
has an additional [Authorize(Roles = "Admin")] attribute that
restricts access to users in the Admin role.
The ApiController attribute enables Web API conventions. The
Route attribute sets the base path for all actions in this
controller.
This example shows how Authorize can be used at different levels and with different requirements. It demonstrates both simple authentication checks and role-based authorization.
Source
Microsoft ASP.NET Authorization Documentation
In this article, we have explored the Authorize attribute in ASP.NET 8. This powerful feature is essential for securing web applications and APIs.
Author
List all ASP.NET tutorials.