Role-Based Authorization in ASP.NET Core

Abhay Harsora
4w
463
0
1
25
Blog

Why This Topic Is Trending?

In real applications:

Admin has full access
User has limited access
Manager has special permissions

This is called Role-Based Authorization.

Companies use this in:

✔ Banking apps
✔ E-commerce websites
✔ Admin dashboards
✔ Enterprise software

And interviewers ask this very often 🔥

What We Will Learn

✔ What is Authorization?
✔ What are Roles?
✔ How to assign roles
✔ How to protect API by role
✔ How to test using Postman

Beginner friendly and easy explanation.

Authentication vs Authorization (Simple Difference)

Authentication	Authorization
Who are you?	What can you access?
Login process	Access control
Example: Username + Password	Example: Admin or User

First login → then check role.

Step 1: Create ASP.NET Core Web API Project

Open Visual Studio
Create ASP.NET Core Web API
Choose .NET 8

Step 2: Install JWT Package

Install via NuGet:

Microsoft.AspNetCore.Authentication.JwtBearer

Step 3: Add JWT Settings in appsettings.json

"Jwt": {
  "Key": "ThisIsSuperSecretKey12345",
  "Issuer": "MyAuthServer",
  "Audience": "MyApiUsers"
}

Step 4: Configure JWT in Program.cs

using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.IdentityModel.Tokens;
using System.Text;

builder.Services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
    var key = Encoding.UTF8.GetBytes(builder.Configuration["Jwt:Key"]);

    options.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuer = true,
        ValidateAudience = true,
        ValidateIssuerSigningKey = true,
        ValidateLifetime = true,
        ValidIssuer = builder.Configuration["Jwt:Issuer"],
        ValidAudience = builder.Configuration["Jwt:Audience"],
        IssuerSigningKey = new SymmetricSecurityKey(key)
    };
});

builder.Services.AddAuthorization();

And inside middleware:

app.UseAuthentication();
app.UseAuthorization();

Step 5: Create Login Model

public class LoginModel
{
    public string Username { get; set; }
    public string Password { get; set; }
}

Step 6: Create AuthController with Roles

using Microsoft.AspNetCore.Mvc;
using Microsoft.IdentityModel.Tokens;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Text;

[Route("api/[controller]")]
[ApiController]
public class AuthController : ControllerBase
{
    private readonly IConfiguration _configuration;

    public AuthController(IConfiguration configuration)
    {
        _configuration = configuration;
    }

    [HttpPost("login")]
    public IActionResult Login(LoginModel model)
    {
        string role = "";

        // Demo users
        if (model.Username == "admin" && model.Password == "123")
        {
            role = "Admin";
        }
        else if (model.Username == "user" && model.Password == "123")
        {
            role = "User";
        }
        else
        {
            return Unauthorized();
        }

        var claims = new[]
        {
            new Claim(ClaimTypes.Name, model.Username),
            new Claim(ClaimTypes.Role, role)
        };

        var key = new SymmetricSecurityKey(
            Encoding.UTF8.GetBytes(_configuration["Jwt:Key"]));

        var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);

        var token = new JwtSecurityToken(
            issuer: _configuration["Jwt:Issuer"],
            audience: _configuration["Jwt:Audience"],
            claims: claims,
            expires: DateTime.Now.AddMinutes(60),
            signingCredentials: creds);

        return Ok(new
        {
            token = new JwtSecurityTokenHandler().WriteToken(token)
        });
    }
}

Important Part

new Claim(ClaimTypes.Role, role)

This stores the user role inside JWT token.

Step 7: Create Protected Controller

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;

[Route("api/[controller]")]
[ApiController]
public class DashboardController : ControllerBase
{
    [Authorize(Roles = "Admin")]
    [HttpGet("admin")]
    public IActionResult AdminPanel()
    {
        return Ok("Welcome Admin! Full access granted.");
    }

    [Authorize(Roles = "User")]
    [HttpGet("user")]
    public IActionResult UserPanel()
    {
        return Ok("Welcome User! Limited access granted.");
    }
}

What Does This Mean?

[Authorize(Roles="Admin")]
Only Admin can access
[Authorize(Roles="User")]
Only User can access

If wrong role → 403 Forbidden

Step 8: Test in Postman

1️⃣ Login as Admin

{
  "username": "admin",
  "password": "123"
}

Get token.

2️⃣ Call Admin API

Add Header:

Authorization: Bearer YOUR_TOKEN

Call:

GET /api/dashboard/admin

Output:

Welcome Admin! Full access granted.

3️⃣ Login as User and try Admin API

Result:

403 Forbidden

Role restriction works ✅

Why Role-Based Authorization is Important?

✔ Security
✔ Access control
✔ Enterprise applications
✔ Used in production systems

Final Result

You built:

✔ JWT Authentication
✔ Role-based token
✔ Admin access control
✔ User access control