Let's talk about two important use cases of authorizing APIs basing on an user role defined by the system and authorizing a user basing on an incoming request claims from the user token. While these two may seem to be of different in their functionalities and usage cases, they both branch out from the Policy based authorization that the ASP.NET Core provides us with.
In a previous article we have discussed about securing a web api in ASP.NET Core using JWT Bearer tokens. While this approach is elegant, we can have a further fine grained access to our API, by authorizing the users who try to access by means of access tokens. In this article, we shall look at a policy-based approach in which all the authenticated users need to further comply to a defined policy in order to access the web api.