A conference talk covering authorization patterns in .NET and ASP.NET Core, with live demos. Topics include the difference between authentication and authorization, why coupling them causes problems like role explosion and token bloat, and how to implement progressively more sophisticated authorization: default and fallback policies, named policies with role/claim requirements, custom IAuthorizationRequirement handlers with DI, external policy loading (JSON, OPA, policy servers), endpoint metadata-based permissions, and feature-area authorization. The talk also covers applying authorization to Razor Pages and Minimal APIs, using tag helpers to show/hide UI elements based on permissions, step-up authentication, and architectural guidance on designing authorization upfront before writing code.
Sort: