Wednesday, June 24, 2020

ASP.NET Core–Endpoint authorization

Until recently I always used an (empty) [Authorize] attribute on top of my Controllers to active authorization on a specific endpoint. (or I used a global AuthorizeFilter)

This will authorize users using the DefaultPolicy which just requires an authenticated user.

With the introduction of endpoint routing there is a new alternative. Disadvantage of the AuthorizeFilter or Authorize attribute are that these are MVC-only features.

A (better) solution is to use the RequireAuthorization() extension method on IEndpointConventionBuilder:

This has the same effect as applying an [Authorize] attribute on every controller.