What is the difference between using policy-based authorization and authorize with role, or there is no difference?
[Authorize(Policy = "RequiredAdminRole")]
and
[Authorize(Roles = "Admin")]
By using Policy-based & Role-based Authorization process, we can provide access to particular area of application to the user based on the Role/Policy of the user.
ASP.NET allows four types of authentications: Windows Authentication. Forms Authentication. Passport Authentication.
Authentication is the process of determining a user's identity. Authorization is the process of determining whether a user has access to a resource.
Policy-based authentication is a new approach that provides a richer and more expressive model. This is because a policy is a collection of requirements based on claims and custom logic based on any other information that can be injected from the HTTP context or external sources.
Policy-based authorization gives you more flexibility. You can use custom authorization handlers with policies to add more complex logic than just checking if your user has a specific role. For example, you have some roles mappings in your database. You can create a policy that will check if your user is authorized according to that data or that can be any custom logic. You can also create policy only with .RequireRole("Admin")
which technically will do the same as an attribute [Authorize(Roles = "Admin")]
Take a look at how to implement custom authorization handlers in documentation
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With