ASP.NET UseAuthorization
last modified April 3, 2025
In this article, we explore the UseAuthorization middleware in ASP.NET 8. This component is essential for implementing authentication and authorization in web applications.
ASP.NET provides a robust security system that separates authentication and authorization. UseAuthorization enables policy-based access control to protect your application resources.
Basic Definition
The UseAuthorization middleware in ASP.NET handles authorization for requests. It works with authentication middleware to secure your application endpoints.
Authorization determines what an authenticated user is allowed to do. It's typically added after UseAuthentication and before endpoint routing in the middleware pipeline.
UseAuthorization evaluates authorization policies against the current user. These policies can be role-based, claim-based, or custom requirements.
ASP.NET UseAuthorization Example
The following example demonstrates a basic ASP.NET application with authorization setup.
var builder = WebApplication.CreateBuilder(args);
// Add services to the container
builder.Services.AddAuthentication("Cookies")
.AddCookie("Cookies", options =>
{
options.LoginPath = "/Account/Login";
options.AccessDeniedPath = "/Account/AccessDenied";
});
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("AdminOnly", policy =>
policy.RequireRole("Admin"));
options.AddPolicy("Over18", policy =>
policy.RequireClaim("Age", "18"));
});
builder.Services.AddControllersWithViews();
var app = builder.Build();
// Configure the HTTP request pipeline
app.UseAuthentication();
app.UseAuthorization();
app.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
app.Run();
This sets up an ASP.NET application with cookie authentication and two authorization policies. The AdminOnly policy requires users to have the Admin role.
The Over18 policy requires users to have an Age claim with value 18. UseAuthorization is placed after UseAuthentication in the middleware pipeline.
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
public class HomeController : Controller
{
public IActionResult Index()
{
return View();
}
[Authorize]
public IActionResult MembersOnly()
{
return View();
}
[Authorize(Policy = "AdminOnly")]
public IActionResult AdminDashboard()
{
return View();
}
[Authorize(Policy = "Over18")]
public IActionResult AdultContent()
{
return View();
}
}
This controller demonstrates different authorization scenarios. The MembersOnly action requires any authenticated user, using the basic [Authorize] attribute.
The AdminDashboard action uses the AdminOnly policy we defined in Program.cs. Only users with the Admin role can access this endpoint.
The AdultContent action uses the Over18 policy, requiring users to have the Age claim set to 18. The [Authorize] attribute applies these policies to specific actions.
@{
ViewData["Title"] = "Login";
}
<h2>Login</h2>
<form method="post">
<div>
<label>Username</label>
<input name="username" />
</div>
<div>
<label>Password</label>
<input name="password" type="password" />
</div>
<button type="submit">Login</button>
</form>
This simple login view collects credentials. In a real application, you would validate these against a user store and issue authentication cookies.
Source
Microsoft ASP.NET Authorization Documentation
In this article, we have explored the UseAuthorization middleware in ASP.NET 8. This powerful feature enables flexible security policies to protect your application resources.
Author
List all ASP.NET tutorials.