Thank you very much. Can you also make a video on how to change the user claim after the user is logged in. Need a flexibility to refresh the claims of the user without asking him to log out and login again.
@yoges waran, thanks for watching the video! If I understand your requirement correctly, what you are looking for is the refresh token implementation. I have done a video on the same here: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-7JP7V59X1sk.html Please take a look and let me know if this serves your purpose.
First of all, great video. Got a quick question, at 16:58, you replaced the previous policy "AdminAndPowerUser" with the new one "EmployeeWithMoreThan20Years". What if I want to keep the previous one as well, so a user who is an Admin but has worked less than 20 years can still have the access? Could you please help to explain how to implement that? Thanks very much.
@Chenru Yan, I am not 100% sure, I will have to try it out, but the easiest solution I can think of is creating a new policy to cover all the scenarios.
@@DotNetCoreCentral Thanks for your reply. For the new policy, does that mean a new handler will be created to check if the user belongs to Admin or PowerUser or has worked more than 20 years? That feels like repeating what already have been done in the other two policies. Just curious is possible in the Startup.cs file, do something such as options.AddPolicy("Combined", policy => policy.Add("AdminAndPowerUser", "EmployeeWithMoreThan20Years")); I am quite new to ASP.NET, please bear with all my naive questions.
@@yanchenru This post in stack overflow should help you with your requirement: stackoverflow.com/questions/35609632/asp-net-5-authorize-against-two-or-more-policies-or-combined-policy
good vide , but i have question , what if my Roles are created on the running of the Application , it should not be hard coded here specially when you are using RequireRole function
@Osama ALSHABANi, thanks for watching! For your question, roles are usually decided as part of the requirement gathering process, not so much as a part of runtime code. But if you have a scenario where roles are created dynamically, in that case, you cannot use it this way for sure.
My friend it's authorization not authentication. You can authenticate yourself with bearer token, cookie etc. - just to tell who you are. You can authorize yourself with policies or roles - check if you're allowed to do something.