Custom Authorization Policies (edit)
public IActionResult RequiresMinimumAge10()
https://github.com/kkadir/custom-policy-provider-demo (This repo is a part of the ASP.NET Core: Custom Authorization Policies With Multiple Requirements article published at Medium)
Using Authorization Cookies in ASP.NET Core
Using cookie authorization in ASP.NET Core is seamless and flexible. In this article, Camilo Reyes explains why this might be a good choice for your next project and how to use the many options available.
Begin by configuring auth cookie options through middleware inside the Startup class. Cookie options tell the authentication middleware how the cookie behaves in the browser. There are many options, but I will only focus on those that affect cookie security the most.
- SecurePolicy: This limits the cookie to HTTPS. I recommend setting this to Always in prod. Leave it set to None in local.
- SameSite: Indicates whether the browser can use the cookie with cross-site requests. For OAuth authentication, set this to Lax. I am setting this to Strict because the auth cookie is only for a single site. Setting this to None does not set a cookie header value.