{"id":27492,"date":"2020-01-29T00:00:00","date_gmt":"2020-01-28T23:00:00","guid":{"rendered":"https:\/\/blexin.com\/sicurezza-in-asp-net-core-con-policy-e-claim\/"},"modified":"2021-05-20T18:42:23","modified_gmt":"2021-05-20T16:42:23","slug":"security-in-asp-net-core-with-policies-and-claims","status":"publish","type":"post","link":"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/","title":{"rendered":"Security in ASP.NET Core with Policies and Claims"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"608\" data-attachment-id=\"27484\" data-permalink=\"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/attachment\/image00-11-2\/\" data-orig-file=\"https:\/\/i0.wp.com\/blexin.com\/wp-content\/uploads\/2020\/12\/image00-11.png?fit=1024%2C608&amp;ssl=1\" data-orig-size=\"1024,608\" data-comments-opened=\"0\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"image00-11\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/i0.wp.com\/blexin.com\/wp-content\/uploads\/2020\/12\/image00-11.png?fit=300%2C178&amp;ssl=1\" data-large-file=\"https:\/\/i0.wp.com\/blexin.com\/wp-content\/uploads\/2020\/12\/image00-11.png?fit=1024%2C608&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blexin.com\/wp-content\/uploads\/2020\/12\/image00-11.png?resize=1024%2C608&#038;ssl=1\" alt=\"\" class=\"wp-image-27484\" srcset=\"https:\/\/blexin.com\/wp-content\/uploads\/2020\/12\/image00-11.png 1024w, https:\/\/blexin.com\/wp-content\/uploads\/2020\/12\/image00-11-980x582.png 980w, https:\/\/blexin.com\/wp-content\/uploads\/2020\/12\/image00-11-480x285.png 480w\" sizes=\"auto, (min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) and (max-width: 980px) 980px, (min-width: 981px) 1024px, 100vw\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">When it comes to security in an application, you always have to think of something indispensable but not always easy to implement. Over the years, I have used different authorization models: from the classic role-Based to custom authorizations, written ad hoc for the application domain. In this article, we analyze the new authorization model based on the policies introduced by .NET Core, which can easily adapt to a wide variety of scenarios.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To fully understand this model, we need a quick overview of role-based permissions, probably the most widely used model, from whose limitations emerge the potential of the policy-based model.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A&nbsp;<strong>role<\/strong>&nbsp;is nothing more than a string that identifies a permission set for an authenticated user in the system. The role-based authorization model allows, in .NET, the use of the&nbsp;<strong>Authorize<\/strong>&nbsp;attribute to restrict access to a resource, based on the specified role. The latter is applied to a controller or to an action. The following code shows how to restrict access to the \u201cReportController\u201d to system administrators only, that is users who are members of the \u201cAdministrator\u201d role:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: csharp; title: ; notranslate\" title=\"\">\n&#x5B;Authorize(Roles = &quot;Administrator&quot;)]\npublic class ReportController : Controller\n{\u00a0\u00a0 \n\u00a0\u00a0\/\/Code\n}\n<\/pre><\/div>\n\n\n<p class=\"wp-block-paragraph\">Of course, you can specify multiple roles allowed to use a specific controller: just enter roles separated by a comma.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n&#x5B;Authorize(Roles = &quot;Manager,Administrator&quot;)]\npublic class ReportController : Controller\n{\n\u00a0\u00a0\u00a0\/\/Code\n}\n<\/pre><\/div>\n\n\n<p class=\"wp-block-paragraph\">The attribute Authorize, as mentioned above, is applicable both at the level of controller and action, this allows us to limit access to specific features:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: csharp; title: ; notranslate\" title=\"\">\n&#x5B;Authorize(Roles = &quot;Manager, Administrator&quot;)]\npublic class ReportController : Controller\n{\n\u00a0\u00a0\u00a0\u00a0public ActionResult ViewReport()\n\u00a0\u00a0\u00a0\u00a0{\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/\/Code\n\u00a0\u00a0\u00a0\u00a0}\n\u00a0\u00a0\u00a0\u00a0&#x5B;Authorize(Roles = &quot;Administrator&quot;)]\n\u00a0\u00a0\u00a0\u00a0public ActionResult DeleteAllReports()\n\u00a0\u00a0\u00a0\u00a0{\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/\/Code\n\u00a0\u00a0\u00a0\u00a0}\n}\n<\/pre><\/div>\n\n\n<p class=\"wp-block-paragraph\">We can restrict access to ReportController to users who belong to both roles \u201cManager\u201d and \u201cAdministrator,\u201d making the authorization more stringent.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: csharp; title: ; notranslate\" title=\"\">\n&#x5B;Authorize(Roles = &quot;Manager&quot;)]\n&#x5B;Authorize(Roles = &quot;Administrator&quot;)]\npublic class ReportController\u00a0 : Controller\n{\n}\n<\/pre><\/div>\n\n\n<p class=\"wp-block-paragraph\">These examples highlight both the ease of use and the limitations of this model. Imagine, for example, the scenario where your domain does not have a single figure of \u201cAdministrator,\u201d but multiple versions of it, a \u201cCustomerAdministrator,\u201d a \u201cProductAdministrator,\u201d a \u201cSuperAdministrator\u201d. Your application will have to take all these figures into account, increasing the granularity of your permissions: when the number of roles increases, the management difficulty increases with it. It is precisely in these scenarios that the policy-based model can make a difference.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s start with the three main concepts:&nbsp;<strong>Policy<\/strong>,<strong>&nbsp;Requirements<\/strong>, and<strong>&nbsp;Handlers<\/strong>. A policy is a set of requirements; a requirement is a set of parameters that are used to validate the identity of the user, while a handler is used to determine whether a user has access to a specific resource using the parameters contained in the requirements.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A policy is usually registered at the startup of the application, more precisely in the&nbsp;<strong>ConfigureServices()<\/strong>&nbsp;method of the class Startup.cs.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: csharp; title: ; notranslate\" title=\"\">\nservices.AddAuthorization(options =&gt;\n\u00a0\u00a0{\n\u00a0\u00a0\u00a0\u00a0options.AddPolicy(&quot;RequireManagerOnly&quot;, policy =&gt;\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0policy.RequireRole(&quot;Manager&quot;,&quot;Administrator&quot;));\n\u00a0\u00a0});\n<\/pre><\/div>\n\n\n<p class=\"wp-block-paragraph\">Applying a registered policy is an effortless operation: use the attribute authorize already seen above, in a slightly different form:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n&#x5B;Authorize(Policy = &quot;ShouldBeEmployeeOnly&quot;)]\npublic class ReportController : Controller\n{\n\u00a0\u00a0\u00a0\u00a0&#x5B;Authorize(Policy = &quot;RequireAdminOnly&quot;)]\n\u00a0\u00a0\u00a0\u00a0public ActionResult DeleteReports()\n\u00a0\u00a0\u00a0\u00a0{\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/\/code\n\u00a0\u00a0\u00a0\u00a0}\n}\n<\/pre><\/div>\n\n\n<p class=\"wp-block-paragraph\">The first thing that strikes you is the greater expressivity of the policy: another developer, who will work on your code, will certainly be facilitated in understanding how you have protected a specific functionality.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The roles of our domain have been used in the example. But this is not the only way available: we can also use&nbsp;<strong>Claims<\/strong>&nbsp;to express policy requirements.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A Claim is nothing more than a key\/value pair that identifies a feature of a subject, such as name, age, document number, and more. In this way, we can express the requirements of a policy through the control of the value contained in a determined Claim, as, for example, to enable a specific function only to the adult customers.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The registration of policy requirements through claims is done by defining the policy itself. If we want to create a policy that allows access based on the existence of a specific claim for an authenticated user in the system, we can do it this way:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: csharp; title: ; notranslate\" title=\"\">\npublic void ConfigureServices(IServiceCollection services)\n{\n\u00a0\u00a0\u00a0\u00a0services.AddMvc();\n\u00a0\u00a0\u00a0\u00a0services.AddAuthorization(options =&gt;\n\u00a0\u00a0\u00a0\u00a0{\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0options.AddPolicy(&quot;ShouldBeOnlyEmployee&quot;, policy =&gt;\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0policy.RequireClaim(&quot;EmployeeId&quot;));\n\u00a0\u00a0\u00a0\u00a0});\n}\n<\/pre><\/div>\n\n\n<p class=\"wp-block-paragraph\">Once registered, the policy is usable through the Authorize attribute on a controller or on a specific Action.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: csharp; title: ; notranslate\" title=\"\">\n&#x5B;Authorize(Policy = &quot;ShouldBeOnlyEmployee&quot;)]\npublic IActionResult SomeMethod()\n{\n\u00a0\u00a0\u00a0\u00a0\/\/Write your code here\n}\n<\/pre><\/div>\n\n\n<p class=\"wp-block-paragraph\">As mentioned above, you can express policy requirements by checking the value contained in a particular claim. Here is the code snippet that performs this check on the value contained in the claim \u201cIsAdmin\u201d:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: csharp; title: ; notranslate\" title=\"\">\npublic void ConfigureServices(IServiceCollection services)\u00a0 \n{\u00a0 \n\u00a0\u00a0\u00a0\u00a0services.AddMvc();\n\u00a0\u00a0\u00a0\n\u00a0\u00a0\u00a0\u00a0services.AddAuthorization(options =&gt;\u00a0 \n\u00a0\u00a0\u00a0\u00a0{\u00a0 \n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0options.AddPolicy(&quot;CustomSecurityPolicy&quot;, policy =&gt;\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0policy.RequireClaim(&quot;IsAdmin&quot;, &quot;true&quot;));\u00a0 \n\u00a0\u00a0\u00a0\u00a0});\u00a0 \n}\n<\/pre><\/div>\n\n\n<p class=\"wp-block-paragraph\">In the examples, handlers were implicit. Let\u2019s see now how we can create a custom requirement to use with our policies, and possible handlers to manage it.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">One requirement, in .NET Core, is a class that implements the interface&nbsp;<strong>IAuthorizationRequirement<\/strong>&nbsp;and acts as a container of the parameters with which the requirement will be managed. Here is an example:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: csharp; title: ; notranslate\" title=\"\">\npublic class MinimumYearsInCompanyRequirement : IAuthorizationRequirement\n{\n\u00a0\u00a0\u00a0\u00a0public int MinimumYears { get; set; }\n\u00a0\u00a0\u00a0\u00a0public MinimumYearsInCompanyRequirement(int experience)\n\u00a0\u00a0\u00a0\u00a0{\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0MinimumYears = experience;\n\u00a0\u00a0\u00a0\u00a0}\u00a0\u00a0\u00a0 \n}\n<\/pre><\/div>\n\n\n<p class=\"wp-block-paragraph\">A requirement may have one or more handlers, which is used to evaluate its properties. A handler is nothing more than a class that extends&nbsp;<strong>AuthorizationHandlerT&gt;<\/strong>&nbsp;and implements the&nbsp;<strong>HandleRequirementAsync()<\/strong>&nbsp;method.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: csharp; title: ; notranslate\" title=\"\">\npublic class MinimumYearsHandler :\n\u00a0\u00a0AuthorizationHandler&lt;MinimumYearsInCompanyRequirement&gt;\n\u00a0\u00a0\u00a0\u00a0{\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0protected override Task HandleRequirementAsync(\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0AuthorizationHandlerContext context,\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0MinimumYearsInCompanyRequirement requirement)\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0throw new NotImplementedException();\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}\n\u00a0\u00a0\u00a0\u00a0}\n<\/pre><\/div>\n\n\n<p class=\"wp-block-paragraph\">Below, the code that contains a simple implementation of the&nbsp;handler, which finds the claim and evaluates the Requirement:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: csharp; title: ; notranslate\" title=\"\">\npublic class MinimumYearsHandler : AuthorizationHandler&lt;MinimumYearsInCompanyRequirement&gt;\n{\n\u00a0\u00a0\u00a0\u00a0protected override Task HandleRequirementAsync(\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0AuthorizationHandlerContext context,\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0MinimumYearsInCompanyRequirement requirement)\n\u00a0\u00a0\u00a0\u00a0{\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0var user = context.User;\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0var claim = context.User.FindFirst(&quot;MinYears&quot;);\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if(claim != null)\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0var expInYears = int.Parse(claim?.Value);\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (expInYears &gt;= requirement.MinimumYears)\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0context.Succeed(requirement);\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return Task.CompletedTask;\n\u00a0\u00a0\u00a0\u00a0}\n}\n<\/pre><\/div>\n\n\n<p class=\"wp-block-paragraph\">As you can see, in case the evaluation of the parameters of the requirement has succeeded, you only need to call the method&nbsp;<strong>Succeed()<\/strong>&nbsp;of the AuthorizationHandlerContext and pass to it the instance of the Requirement like argument, and thus making it satisfied and enable the functionality that you have protected.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The registration of Handlers and custom Requirements is always done at the startup of the application in the&nbsp;<strong>ConfigureServices<\/strong>&nbsp;method.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: csharp; title: ; notranslate\" title=\"\">\npublic void ConfigureServices(IServiceCollection services)\n{\n\u00a0\u00a0services.AddMvc(;\n\u00a0\u00a0services.AddAuthorization(options =&gt;\n\u00a0\u00a0\u00a0\u00a0{\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0options.AddPolicy(&quot;MinYears&quot;, policy =&gt;\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0policy.Requirements.Add(\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0new MinimumYearsInCompanyRequirement(5)));\n\u00a0\u00a0\u00a0\u00a0});\n\u00a0\u00a0services.AddSingleton&lt;IAuthorizationHandler,\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0MinimumYearsHandler&gt;();\n}\n<\/pre><\/div>\n\n\n<p class=\"wp-block-paragraph\">Simple, expressive and powerful. Give a chance to it and you won\u2019t regret.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">See you at the next article!<\/p>\n\n\n\n\n","protected":false},"excerpt":{"rendered":"<p>Let\u2019s see how to secure an ASP.NET Core application using Policies and Claims<\/p>\n","protected":false},"author":196716246,"featured_media":27484,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"off","_et_pb_old_content":"","_et_gb_content_width":"","_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","_crdt_document":"","inline_featured_image":false,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"_wpas_customize_per_network":false},"categories":[688637524],"tags":[688637416,688637384],"class_list":["post-27492","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-en","tag-asp-net-core-en","tag-c-en"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Security in ASP.NET Core with Policies and Claims - Blexin<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Security in ASP.NET Core with Policies and Claims - Blexin\" \/>\n<meta property=\"og:description\" content=\"Let\u2019s see how to secure an ASP.NET Core application using Policies and Claims\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/\" \/>\n<meta property=\"og:site_name\" content=\"Blexin\" \/>\n<meta property=\"article:published_time\" content=\"2020-01-28T23:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-05-20T16:42:23+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/i2.wp.com\/blexin.com\/wp-content\/uploads\/2020\/12\/image00-11.png?fit=1024%2C608&ssl=1\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"608\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Francesco de Vicariis\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Francesco de Vicariis\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/\"},\"author\":{\"name\":\"Francesco de Vicariis\",\"@id\":\"https:\/\/blexin.com\/en\/#\/schema\/person\/6f8514ed8b0d3be31369ca5436c4781f\"},\"headline\":\"Security in ASP.NET Core with Policies and Claims\",\"datePublished\":\"2020-01-28T23:00:00+00:00\",\"dateModified\":\"2021-05-20T16:42:23+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/\"},\"wordCount\":884,\"image\":{\"@id\":\"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/i0.wp.com\/blexin.com\/wp-content\/uploads\/2020\/12\/image00-11.png?fit=1024%2C608&ssl=1\",\"keywords\":[\"Asp.net core\",\"C#\"],\"articleSection\":[\"Blog\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/\",\"url\":\"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/\",\"name\":\"Security in ASP.NET Core with Policies and Claims - Blexin\",\"isPartOf\":{\"@id\":\"https:\/\/blexin.com\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/i0.wp.com\/blexin.com\/wp-content\/uploads\/2020\/12\/image00-11.png?fit=1024%2C608&ssl=1\",\"datePublished\":\"2020-01-28T23:00:00+00:00\",\"dateModified\":\"2021-05-20T16:42:23+00:00\",\"author\":{\"@id\":\"https:\/\/blexin.com\/en\/#\/schema\/person\/6f8514ed8b0d3be31369ca5436c4781f\"},\"breadcrumb\":{\"@id\":\"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/#primaryimage\",\"url\":\"https:\/\/i0.wp.com\/blexin.com\/wp-content\/uploads\/2020\/12\/image00-11.png?fit=1024%2C608&ssl=1\",\"contentUrl\":\"https:\/\/i0.wp.com\/blexin.com\/wp-content\/uploads\/2020\/12\/image00-11.png?fit=1024%2C608&ssl=1\",\"width\":1024,\"height\":608},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blexin.com\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security in ASP.NET Core with Policies and Claims\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blexin.com\/en\/#website\",\"url\":\"https:\/\/blexin.com\/en\/\",\"name\":\"Blexin\",\"description\":\"Con noi \u00e8 semplice\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blexin.com\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blexin.com\/en\/#\/schema\/person\/6f8514ed8b0d3be31369ca5436c4781f\",\"name\":\"Francesco de Vicariis\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blexin.com\/en\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/b3a3164fd0b28d429cd427aafae38a687a41a250a2bccf4ab3b0744138afd64e?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/b3a3164fd0b28d429cd427aafae38a687a41a250a2bccf4ab3b0744138afd64e?s=96&d=identicon&r=g\",\"caption\":\"Francesco de Vicariis\"},\"url\":\"https:\/\/blexin.com\/en\/author\/francesco-devicariisblexin-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Security in ASP.NET Core with Policies and Claims - Blexin","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/","og_locale":"en_US","og_type":"article","og_title":"Security in ASP.NET Core with Policies and Claims - Blexin","og_description":"Let\u2019s see how to secure an ASP.NET Core application using Policies and Claims","og_url":"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/","og_site_name":"Blexin","article_published_time":"2020-01-28T23:00:00+00:00","article_modified_time":"2021-05-20T16:42:23+00:00","og_image":[{"width":1024,"height":608,"url":"https:\/\/i2.wp.com\/blexin.com\/wp-content\/uploads\/2020\/12\/image00-11.png?fit=1024%2C608&ssl=1","type":"image\/png"}],"author":"Francesco de Vicariis","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Francesco de Vicariis","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/#article","isPartOf":{"@id":"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/"},"author":{"name":"Francesco de Vicariis","@id":"https:\/\/blexin.com\/en\/#\/schema\/person\/6f8514ed8b0d3be31369ca5436c4781f"},"headline":"Security in ASP.NET Core with Policies and Claims","datePublished":"2020-01-28T23:00:00+00:00","dateModified":"2021-05-20T16:42:23+00:00","mainEntityOfPage":{"@id":"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/"},"wordCount":884,"image":{"@id":"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/#primaryimage"},"thumbnailUrl":"https:\/\/i0.wp.com\/blexin.com\/wp-content\/uploads\/2020\/12\/image00-11.png?fit=1024%2C608&ssl=1","keywords":["Asp.net core","C#"],"articleSection":["Blog"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/","url":"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/","name":"Security in ASP.NET Core with Policies and Claims - Blexin","isPartOf":{"@id":"https:\/\/blexin.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/#primaryimage"},"image":{"@id":"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/#primaryimage"},"thumbnailUrl":"https:\/\/i0.wp.com\/blexin.com\/wp-content\/uploads\/2020\/12\/image00-11.png?fit=1024%2C608&ssl=1","datePublished":"2020-01-28T23:00:00+00:00","dateModified":"2021-05-20T16:42:23+00:00","author":{"@id":"https:\/\/blexin.com\/en\/#\/schema\/person\/6f8514ed8b0d3be31369ca5436c4781f"},"breadcrumb":{"@id":"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/#primaryimage","url":"https:\/\/i0.wp.com\/blexin.com\/wp-content\/uploads\/2020\/12\/image00-11.png?fit=1024%2C608&ssl=1","contentUrl":"https:\/\/i0.wp.com\/blexin.com\/wp-content\/uploads\/2020\/12\/image00-11.png?fit=1024%2C608&ssl=1","width":1024,"height":608},{"@type":"BreadcrumbList","@id":"https:\/\/blexin.com\/en\/blog-en\/security-in-asp-net-core-with-policies-and-claims\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blexin.com\/en\/"},{"@type":"ListItem","position":2,"name":"Security in ASP.NET Core with Policies and Claims"}]},{"@type":"WebSite","@id":"https:\/\/blexin.com\/en\/#website","url":"https:\/\/blexin.com\/en\/","name":"Blexin","description":"Con noi \u00e8 semplice","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blexin.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blexin.com\/en\/#\/schema\/person\/6f8514ed8b0d3be31369ca5436c4781f","name":"Francesco de Vicariis","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blexin.com\/en\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/b3a3164fd0b28d429cd427aafae38a687a41a250a2bccf4ab3b0744138afd64e?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/b3a3164fd0b28d429cd427aafae38a687a41a250a2bccf4ab3b0744138afd64e?s=96&d=identicon&r=g","caption":"Francesco de Vicariis"},"url":"https:\/\/blexin.com\/en\/author\/francesco-devicariisblexin-com\/"}]}},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/blexin.com\/wp-content\/uploads\/2020\/12\/image00-11.png?fit=1024%2C608&ssl=1","jetpack_shortlink":"https:\/\/wp.me\/pcyUBx-79q","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blexin.com\/en\/wp-json\/wp\/v2\/posts\/27492","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blexin.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blexin.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blexin.com\/en\/wp-json\/wp\/v2\/users\/196716246"}],"replies":[{"embeddable":true,"href":"https:\/\/blexin.com\/en\/wp-json\/wp\/v2\/comments?post=27492"}],"version-history":[{"count":6,"href":"https:\/\/blexin.com\/en\/wp-json\/wp\/v2\/posts\/27492\/revisions"}],"predecessor-version":[{"id":31949,"href":"https:\/\/blexin.com\/en\/wp-json\/wp\/v2\/posts\/27492\/revisions\/31949"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blexin.com\/en\/wp-json\/wp\/v2\/media\/27484"}],"wp:attachment":[{"href":"https:\/\/blexin.com\/en\/wp-json\/wp\/v2\/media?parent=27492"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blexin.com\/en\/wp-json\/wp\/v2\/categories?post=27492"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blexin.com\/en\/wp-json\/wp\/v2\/tags?post=27492"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}