Motivation In my previous post, Practical Permission-based Authorization in ASP.NET Core, I tried to demonstrate how to implement a regime of permissions-based authorization without having to stuff it all into an ever-exploding list of roles, without abusing claims, and without having to roll your own framework-fighting implementation. Resource filters allow you to do this elegantly and still remain in harmony with the framework. However, I may have been too terse. I got a couple questions and a request for a working example, which seemed like a reasonable request, so that what this post is about.
The New Identity framework As anyone following ASP.NET’s development in the last two years knows, ASP.NET Core has been released and there are a lot of changes. Gone are the days of IIS modules and handlers and the traditional ASP.NET pipeline. Instead, now we have a composable pipeline of delegates. Gone also are System.Web and much of the monolithic frameworks that often were used in web applications. The Identity framework is one that has also changed.