Custom Authorization Policies (edit)
: AuthorizeAttribute
: IAuthorizationPolicyProvider
[MinimumAgeAuthorize(10)]
public IActionResult RequiresMinimumAge10()
https://www.red-gate.com/simple-talk/development/dotnet-development/policy-based-authorization-in-asp-net-core-a-deep-dive/
https://stackoverflow.com/questions/31464359/how-do-you-create-a-custom-authorizeattribute-in-asp-net-core
https://ekobit.com/blog/asp-netcore-custom-authorization-attributes/
https://github.com/blowdart/AspNetAuthorization-Samples
https://github.com/blowdart/AspNetAuthorizationWorkshop
https://github.com/blowdart/AspNetAuthenticationWorkshop
https://dotnetcorecentral.com/blog/asp-net-core-authorization/
https://github.com/choudhurynirjhar/auth-demo
https://medium.com/@kadir.kilicoglu_67563/asp-net-core-custom-authorization-policies-with-multiple-requirements-and-multiple-handlers-487f920ae13e
https://github.com/kkadir/custom-policy-provider-demo (This repo is a part of the ASP.NET Core: Custom Authorization Policies With Multiple Requirements article published at Medium)
Using Authorization Cookies in ASP.NET Core
Using cookie authorization in ASP.NET Core is seamless and flexible. In this article, Camilo Reyes explains why this might be a good choice for your next project and how to use the many options available.
Cookie Options
Begin by configuring auth cookie options through middleware inside the Startup class. Cookie options tell the authentication middleware how the cookie behaves in the browser. There are many options, but I will only focus on those that affect cookie security the most.
- HttpOnly: A flag that says the cookie is only available to servers. The browser only sends the cookie but cannot access it through JavaScript.
- SecurePolicy: This limits the cookie to HTTPS. I recommend setting this to Always in prod. Leave it set to None in local.
- SameSite: Indicates whether the browser can use the cookie with cross-site requests. For OAuth authentication, set this to Lax. I am setting this to Strict because the auth cookie is only for a single site. Setting this to None does not set a cookie header value.
There are cookie options for both the auth cookie and a global cookie policy. Stay alert since the cookie policy can override auth cookie options and vice versa. Setting HttpOnly to false in the auth cookie will override cookie policy options. While setting SameSite in the cookie policy overrides auth cookie options. In my demo, I’ll illustrate both scenarios, so it is crystal clear how this works.