ASP.NET 5 Authorize against two or more policies (OR-combined policy)

c# authorization asp.net-core asp.net-core-mvc

Not the way you want; policies are designed to be cumulative. For example if you use two separate attributes then they must both pass.

You have to evaluate OR conditions within a single policy. But you don't have to code it as ORs within a single handler. You can have a requirement which has more than one handler. If either of the handlers flag success then the requirement is fulfilled. See Step 6 in my Authorization Workshop.


Once setting up a new policy "LimitedOrFull" (assuming they match the claim type names) create a requirement like this:

options.AddPolicy("LimitedOrFull", policy =>
    policy.RequireAssertion(context =>
        context.User.HasClaim(c =>
            (c.Type == "Limited" ||
             c.Type == "Full"))));

https://docs.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-2.1#using-a-func-to-fulfill-a-policy


Net Core has an option to have multiple AuthorizationHandlers that have the same AuthorizationRequirement type. Only one of these have to succeed to pass authorization https://docs.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-2.1#why-would-i-want-multiple-handlers-for-a-requirement

Related

How to print a Groovy variable in Jenkins?
ConstraintLayout, when constraint dependent view is gone, the layout view behave weirdly
org.hibernate.annotations vs. javax.persistence
Python package name conventions
Namespaces in R packages
Differences between CSS3 :hover and :focus?
Android: "BadTokenException: Unable to add window; is your activity running?" at showing dialog in PreferenceActivity
Can github pages CNAME file contain more than one domain?
Preventing HTML and Script injections in Javascript
How to draw free hand polygon in Google map V2 in Android?
Pandas equivalent of Oracle Lead/Lag function
Handling connection loss with websockets