Redundant Content

[mobinseven]

This page is totally redundant as RequireClaim is part of policy based authorization. When you say "Claims-based authorization" alongside "Policy-Based" or "Role-Based" you must mean something similar to them (for example Authorize(Claim = ... ) ); Not just something that is a policy on its very nature. Policies are strict and static. Just like the example given in this page:"EmployeeOnly". It is not a claim. It is a policy! Claims are more dynamic and flexible; Much more diverse in type and value than what some static "Policy = " can handle. In my opinion "Claim-based authorization" is still an unfilled gap in this framework.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 25051544-0e4d-1715-95b7-3a8616475127
• Version Independent ID: 50736569-fc04-ec6d-7b33-a3e0c860b1ed
• Content: Claims-based authorization in ASP.NET Core
• Content Source: aspnetcore/security/authorization/claims.md
• Product: aspnet-core
• Technology: aspnetcore-security
• GitHub Login: @Rick-Anderson
• Microsoft Alias: riande

[ptsneves]

@mobinseven I agree that this information is redundant but for the reason that it is a misleading documentation, as you further elaborate.

This is my understanding after working with both forms of authorisation. Policy based authorisation is not the same as claims based, although you can make policies based purely on claims. A policy can have authorisation handlers that read claims or can do claim-unrelated logic. They also need to be registered before they are used, and the registration is not often done in the same place as the policy is used. So for one-offs claim checks, it is a very heavy requirement and clutters the code base.

The absence of this understanding led me to use policy based authorisation which is quite more complicated and requires more infrastructure, when actually i just needed to check for claims. To check for claims, the logic is simpler and can be done just with the user principal and HasClaim. I even made a tag helper that just check for the claim.

Am I fundamentally misunderstanding claims and policy authorisation?
[Edit just found an answer in SO with 400+ votes where the same argument is made]

[mobinseven]

Am I fundamentally misunderstanding claims and policy authorization?

@ptsneves I think not. You are simply using the policy-based authorization with just some HasClaim rule. Look at the sample code in this part of the policy-based authorization doc.
What I am expecting from a claim-based authorization is something that enables us to perform authorizations like this imaginary example:

<AuthorizeView Claim="@(new Claim("ClaimType","ClaimValue"))">
...
</AuthorizeView>

Otherwise it's still a policy-based authorization.
The currently implemented policy-based authorization is totally fine and flawless in many aspects. You can easily extend it with AuthorizationPolicyProvider to require claims in many ways.
(See how I'm using it: my AuthorizationPolicyProvider and PermissionRequirement )