Claims-based Authorizations
In the previous sections, we saw how to achieve authentication using JWT, that is, identify a user against the data stored and allow them access to the web API resources.
In most of the applications, we need to allow only certain authenticated users to perform tasks. This also known as authorization.
In ASP.NET Core, the authorization technique can be used to achieve claims. Instead of traditional roles used for authorization, we use claims with JWT to perform authorization.
Modify AppUsers
to include the IsSuperUser
property. This property will indicate if the login user is a super user or not. The AppUsers
class now includes the IsSuperUser
property:
namespace PersonalBudget.Models { public class AppUser { public int Id { get; set; } public string UserName { get; set; } public string Password { get; set; } public bool IsSuperUser { get; set; } } }
Modify the AuthController CreateToken
action...