Simple roles like Admin or User are no longer sufficient for authorization in contemporary ASP.NET Core apps. Context-aware authorization is necessary for enterprise systems, where decisions about access are based on the user’s identity, the customer they belong to, and the business or tenant they work for.

This article demonstrates a production-grade authorization architecture using:

• JWT claims (UserId, CustomerId, CompanyId)
• Attribute-based policies
• Custom authorization handlers
• Strongly typed claim access
• Multi-tenant data isolation
• Testable and reusable design

This approach is ideal for microservices, SaaS platforms, and B2B systems.

1. Context-Aware JWT Design

A secure JWT should carry authorization context, not UI state.

Each claim answers a question:

2. JWT Authentication Setup

JWT validation happens locally in every microservice.

This removes runtime dependency on the authentication service and improves performance.

3. Authorization Policies (The Rules Engine)

Policies define what must be true for access.

Policies are reusable, composable, and testable.

4. Attribute-Based API Contracts

Attributes expose authorization intent directly on endpoints.

User + Company Attribute

User + Customer + Company Attribute

This keeps controllers declarative and clean.

5. Strongly Typed Claim Access

Avoid repeating FindFirst() everywhere.

This pattern:

• Eliminates null bugs
• Improves readability
• Centralizes parsing logic

6. Custom IAuthorizationHandler (Enterprise Control)

Policies validate presence.
Handlers validate relationships.

Requirement

Handler

Registration

This enables fine-grained, business-aware authorization.

7. Controller Usage (Method-Level Precision)

Controllers remain thin, focused only on application logic.

8. Multi-Tenant Data Isolation (EF Core)

Prevent cross-tenant data leaks using global query filters.

This guarantees tenant isolation by default.

9. Unit Testing Authorization