Section 3 of 6
Claims-Based Authorization
🎯 What You'll Learn
- What are claims
- Adding claims to users
- RequireClaim policy
- Checking claims in code
- Claims vs roles
What are Claims?
Claims are key-value pairs that describe the user (name, email, department, etc.). They provide more granular authorization than roles.
Adding Claims to Users
Add Claims
C#
var claims = new List<Claim>
{
new Claim("Department", "IT"),
new Claim("EmployeeNumber", "12345"),
new Claim("CanEditProducts", "true")
};
await _userManager.AddClaimsAsync(user, claims);RequireClaim Policy
Program.cs
C#
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("ITDepartment", policy =>
policy.RequireClaim("Department", "IT"));
options.AddPolicy("CanEditProducts", policy =>
policy.RequireClaim("CanEditProducts", "true"));
});Using Claim Policies
[Authorize(Policy)]
C#
[Authorize(Policy = "ITDepartment")]
public IActionResult ITDashboard()
{
return View();
}
[Authorize(Policy = "CanEditProducts")]
public IActionResult EditProduct()
{
return View();
}Checking Claims in Code
Check Claim
C#
if (User.HasClaim("Department", "IT"))
{
// IT department logic
}
// Get claim value
var department = User.FindFirst("Department")?.Value;Claims vs Roles
| Aspect | Roles | Claims |
|---|---|---|
| Granularity | Coarse (Admin, User) | Fine-grained (Department, CanEdit) |
| Flexibility | Limited | Highly flexible |
| Use Case | General permissions | Specific attributes/permissions |
| Example | Admin, Manager | Department=IT, CanEditProducts=true |
Key Takeaways
- Claims: Key-value pairs describing user
- AddClaimsAsync(): Add claims to user
- RequireClaim(): Create claim-based policy
- [Authorize(Policy)]: Apply claim policy
- User.HasClaim(): Check claim in code
- More granular: Than role-based authorization