Authorization means the process that decides what a user is able to do. Let’s take an example of user Adam who’s able to create a document library, add documents, do the edit and delete them. But Bob might only be authorized to read the documents in a single library.

1. Authorization In Asp.Net Part V
Under this topic today we would discuss claims based authorization and limiting identity by the
scheme.
Usually, a developer would want to show, hide or else modify a UI based on the current user
identity. You can evaluate the authorization process within MVC views via dependency injection.
To inject the authorization service into a Razor view make use of @inject directive, for example,
@inject IAuthorizationService AuthorizationService. If you want the authorization service in every
way then place the @inject directive into the _ViewImports.CSS HTML file in the Views directory.
Once you have applied the authorization service you make use of it by the AuthorizeAsync method
in the same way as you will check during resource based authorization.
@if (await AuthorizationService.AuthorizeAsync(User, “PolicyName”))
{
<p>This paragraph is displayed because you fulfilled PolicyName.</p>
}
In some cases, the resource would be your view model, and you can call AuthorizeAsync in the
very same way as you would check during resource based authorization;

2. @if (await AuthorizationService.AuthorizeAsync(User, Model, Operations.Edit))
{
<p><a class=”btn btn-default” role=”button”
href=”@Url.Action(“Edit”, “Document”, new { id = Model.Id })”>Edit</a></p>
}
Here you can see the model is passed as the resource authorization would take into consideration.
Limiting identity by scheme
In certain cases such as Single Page Applications, it is supposed to end up with multiple
authentication methods. e.g., the application may use cookie-based authentication to log in and bear
authentication for JavaScript requests. In some cases, you might have many instances of an
authentication middleware. For instance, two cookie middlewares where one has a basic identity
and one is created when a multi-factor authentication is triggered because the user requested an
operation that requires extra security.
Authentication schemes are termed when authentication middleware is configured during
authentication, for example
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
AuthenticationScheme = “Cookie”,
LoginPath = new PathString(“/Account/Unauthorized/”),
AccessDeniedPath = new PathString(“/Account/Forbidden/”),
AutomaticAuthenticate = false
});
app.UseBearerAuthentication(options =>
{
options.AuthenticationScheme = “Bearer”;
options.AutomaticAuthenticate = false;
});
In this configuration 2 authentication middlewares are added, one for cookies and one for bearer.
N.B.
When adding multiple authentication middlewares you must ensure that no middleware is
developed to automatically run. You could do this by setting the AutomaticAuthenticate options
property to false. If you fail to do this filtering by the scheme that won’t work.

3. Selecting the scheme with the Authorize feature
As no authentication middleware is configured to run automatically and create an identity you must,
at the point of authorization you need to make the choice which middleware to be used. The basic
way to select the middleware you desire to authorize with is to use the
ActiveAuthenticationSchemes property. This property accepts a comma delimited list of
Authentication Schemes to use. e.g.
[Authorize(ActiveAuthenticationSchemes = "Cookie,Bearer")]
public class MixedController : Controller
In the above example, both the cookie and bearer middlewares will run and have a chance to create
and attach an identity for the current user. By mentioning a single scheme only the specified
middleware will run;
[Authorize(ActiveAuthenticationSchemes = "Bearer")]
In this case, only the middleware with the Bearer scheme would run, and any cookie-based
identities will be ignored.
To select the scheme with policies
If you want to specify the desired schemes in policy you can set the AuthenticationSchemes
collection when adding your policy.
options.AddPolicy(“Over18″, policy =>
{
policy.AuthenticationSchemes.Add(“Bearer”);
policy.RequireAuthenticatedUser();
policy.Requirements.Add(new Over18Requirement());
});
In this instance the Over18 policy will only run opposite the identity created by the Bearer
middleware.
If you are interested in learning .Net and perfect yourself in ASP.NET training, then CRB Tech
Solutions would be very helpful. We keep you updated with the current developments in ASP.Net
course.
Stay tuned to the page of CRB Tech reviews for more technical optimization and other resources.
Related Topics :
Authorization in Asp.net (Part-1)
Authorization in Asp.net (Part II)