Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Authorization in ASP.NET Core is controlled with the [Authorize] attribute and its various parameters. In its most basic form, applying the [Authorize] attribute to a Razor component, controller, action, or Razor Page, limits access to that component to authenticated users.
This article uses Blazor Razor component examples and focuses on Blazor authorization scenarios. For Razor Pages and MVC guidance, see the following resources after reading this article:
[Authorize] attribute
In Blazor apps, specify the [Authorize] attribute at the top of a Razor component file (.razor). In the following example, only authenticated users can access the page:
@page "/"
@using Microsoft.AspNetCore.Authorization
@attribute [Authorize]
You can only see this if you're signed in.
Important
Only use the [Authorize] attribute on @page components reached via the Blazor router. Authorization is only performed as an aspect of routing and not for child components rendered within a page. To authorize the display of specific parts within a page, use an AuthorizeView component instead, which is described in ASP.NET Core Blazor authentication and authorization.
The [Authorize] attribute can also be applied to all of the Razor components in a Blazor app or a subset of Razor components in a folder using an _Imports file (_Imports.razor). Add an @using directive for the Microsoft.AspNetCore.Authorization namespace with an @attribute directive for the [Authorize] attribute:
@using Microsoft.AspNetCore.Authorization
@attribute [Authorize]
The [Authorize] attribute also supports role-based or policy-based authorization. For role-based authorization, use the Roles parameter. In the following example, the user can only access the page if they're in the Admin or Superuser role:
@page "/"
@attribute [Authorize(Roles = "Admin, Superuser")]
<p>You can only see this if you're in the 'Admin' or 'Superuser' role.</p>
For policy-based authorization, use the Policy parameter. In the following example, the user can only access the page if they satisfy the requirements of the Over21 authorization policy:
@page "/"
@attribute [Authorize(Policy = "Over21")]
<p>You can only see this if you satisfy the 'Over21' policy.</p>
If neither Roles nor Policy is specified, [Authorize] uses the default policy:
- Authenticated (signed-in) users are authorized.
- Unauthenticated (signed-out) users are unauthorized.
When the user isn't authorized and if the app doesn't customize unauthorized content with the Router component, the framework automatically displays the following fallback message:
Not authorized.
For more information on Blazor authentication and authorization, see ASP.NET Core Blazor authentication and authorization.
Use the [AllowAnonymous] attribute to allow access by non-authenticated users to individual actions:
@using Microsoft.AspNetCore.Authorization
@attribute [AllowAnonymous]
For information on how to require authentication for all app users, see Create an ASP.NET Core app with user data protected by authorization.
Additional resources
Collaborate with us on GitHub
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.
ASP.NET Core