ASP.NET Core authorization provides a simple, declarative role and a rich policy-based model. Authorization is expressed in requirements, and handlers evaluate a user's claims against requirements. Imperative checks can be based on simple policies or policies which evaluate both the user identity and properties of the resource that the user is attempting to access.
In Package Manager Console :
Add-Migration Add_refresh_token_table
Update-Database
We can retrieve the meaning of the token. Currently we don't have the roles included in the token :
- Register :
- Get user role :
- Token not yet expired :
- Token has been used :
- Token successfully refreshed :
- Todo without authentication :
- Todo with authentication :
- Remove user from role :
- User cannot create todo because lacking required AppUser role :
- user not authorized because lacking Department policy :
- Add department policy to that user :
- now the user is authorized :
