Building a Custom Role-Based Authorization System in ASP.NET Core

In this guide, we’ll walk through the implementation of a custom role-based authorization system in ASP.NET Core. This system includes user registration, login, role management, and secure endpoint access using custom authorization attributes. We’ll al…

This content originally appeared on DEV Community and was authored by Sann Lynn Htun

In this guide, we’ll walk through the implementation of a custom role-based authorization system in ASP.NET Core. This system includes user registration, login, role management, and secure endpoint access using custom authorization attributes. We’ll also cover how to set up the project using EF Core Database-First, install the necessary NuGet packages, and configure Swagger for testing.

Step-by-Step: Package Installation and EF Core Database-First Setup

1. Install Required NuGet Packages

Open your project in Visual Studio or your preferred IDE, and install the following NuGet packages:

Core Packages

  • Microsoft.EntityFrameworkCore: The main EF Core package.
  • Microsoft.EntityFrameworkCore.SqlServer: For SQL Server database support.
  • Microsoft.EntityFrameworkCore.Tools: For EF Core migrations and scaffolding.
  • Microsoft.EntityFrameworkCore.Design: Required for EF Core design-time tools (e.g., Scaffold-DbContext).

Run the following commands in the Package Manager Console:

Install-Package Microsoft.EntityFrameworkCore
Install-Package Microsoft.EntityFrameworkCore.SqlServer
Install-Package Microsoft.EntityFrameworkCore.Tools
Install-Package Microsoft.EntityFrameworkCore.Design

Additional Packages

  • Effortless.Net.Encryption: For password hashing and token encryption.
  • Newtonsoft.Json: For JSON serialization and deserialization.
  • Swashbuckle.AspNetCore: For Swagger API documentation.

Run the following commands:

Install-Package Effortless.Net.Encryption
Install-Package Newtonsoft.Json
Install-Package Swashbuckle.AspNetCore

2. Set Up the Database

Create the database using the following SQL scripts:


Stores user information, including username, hashed password, and email.

    Username NVARCHAR(100) NOT NULL,
    Password NVARCHAR(256) NOT NULL, -- Hashed password
    Email NVARCHAR(100) NOT NULL


Stores roles and their descriptions.

    RoleName NVARCHAR(50) NOT NULL,
    RoleDescription NVARCHAR(255)


Links users to their roles.

CREATE TABLE Tbl_RolePermission (
    RolePermissionId INT PRIMARY KEY IDENTITY(1,1),
    RoleId INT NOT NULL,
    UserId INT NOT NULL,
    FOREIGN KEY (RoleId) REFERENCES Tbl_Role(RoleId),
    FOREIGN KEY (UserId) REFERENCES Tbl_User(UserId)


Tracks user login sessions.

CREATE TABLE Tbl_UserLogin (
    UserId INT NOT NULL,
    SessionId NVARCHAR(50) NOT NULL,
    SessionExpiredDate DATETIME NOT NULL,
    LogoutDate DATETIME NULL,
    FOREIGN KEY (UserId) REFERENCES Tbl_User(UserId)

3. Scaffold the Database Using EF Core

Use the Scaffold-DbContext command to generate the entity classes and DbContext from your database. Replace the placeholders with your database connection details:

Scaffold-DbContext "Server=YOUR_SERVER_NAME;Database=YOUR_DATABASE_NAME;Trusted_Connection=True;" Microsoft.EntityFrameworkCore.SqlServer -OutputDir Database/Models -ContextDir Database/Data -Context ApplicationDbContext

Verify the Generated Files

After running the command, you should see the following files in your project:

  • Entity Classes: Generated in the Database/Models folder (e.g., TblUser.cs, TblRole.cs).
  • DbContext Class: Generated in the Database/Data folder (e.g., ApplicationDbContext.cs).

4. Configure the DbContext in Program.cs

Register the ApplicationDbContext in the dependency injection container. Open Program.cs and add the following code:

var builder = WebApplication.CreateBuilder(args);

// Add DbContext with SQL Server
builder.Services.AddDbContext<ApplicationDbContext>(options =>

var app = builder.Build();

Add Connection String to appsettings.json

Add your database connection string to the appsettings.json file:

  "ConnectionStrings": {
    "DefaultConnection": "Server=YOUR_SERVER_NAME;Database=YOUR_DATABASE_NAME;Trusted_Connection=True;"

Custom Role-Based Authorization System

1. Authentication and User Services


Handles user login and token generation.

public class AuthService
    private readonly ApplicationDbContext _db;

    public AuthService(ApplicationDbContext db)
        _db = db;

    public string Login(string username, string password)
        var user = _db.TblUsers.FirstOrDefault(u => u.Username == username);

        if (user == null || !Hash.Verify(HashType.SHA256, password, "YourSalt", false, user.Password))
            throw new UnauthorizedAccessException("Invalid credentials");

        string sessionId = Ulid.NewUlid().ToString();
        var roles = _db.TblRolePermissions
            .Where(rp => rp.UserId == user.UserId)
            .Select(rp => rp.Role.RoleName)

        _db.TblUserLogins.Add(new TblUserLogin
            UserId = user.UserId,
            SessionId = sessionId,
            SessionExpiredDate = DateTime.UtcNow.AddHours(1), // 1-hour session
            LogoutDate = null


        return TokenService.GenerateToken(user.UserId, sessionId, roles);


Handles user registration and role assignment.

public class UserService
    private readonly ApplicationDbContext _db;

    public UserService(ApplicationDbContext db)
        _db = db;

    public void RegisterUser(string username, string password, string email, List<string> roles)
        string hashedPassword = Hash.Create(HashType.SHA256, password, "YourSalt", false);

        var user = new TblUser
            Username = username,
            Password = hashedPassword,
            Email = email


        foreach (var roleName in roles)
            var role = _db.TblRoles.FirstOrDefault(r => r.RoleName == roleName);
            if (role != null)
                _db.TblRolePermissions.Add(new TblRolePermission
                    RoleId = role.RoleId,
                    UserId = user.UserId


2. Token Service

The TokenService class handles token generation and decryption using symmetric encryption.

public static class TokenService
    private static readonly string EncryptionKey = "YourSecretEncryptionKey";

    public static string GenerateToken(int userId, string sessionId, List<string> roles)
        var tokenData = new
            UserId = userId,
            SessionId = sessionId,
            Roles = roles

        string jsonToken = JsonConvert.SerializeObject(tokenData);
        byte[] encryptedBytes = AES.Encrypt(jsonToken, EncryptionKey, Bytes.GenerateSalt());
        return Convert.ToBase64String(encryptedBytes);

    public static (int UserId, string SessionId, List<string> Roles) DecryptToken(string encryptedToken)
        byte[] encryptedBytes = Convert.FromBase64String(encryptedToken);
        string jsonToken = AES.Decrypt(encryptedBytes, EncryptionKey, Bytes.GenerateSalt());
        return JsonConvert.DeserializeObject<(int UserId, string SessionId, List<string> Roles)>(jsonToken);

3. Custom Authorization Attribute

The CustomAuthorizeAttribute enforces role-based access control on endpoints.

public class CustomAuthorizeAttribute : Attribute, IAuthorizationFilter
    private readonly string[] _requiredRoles;

    public CustomAuthorizeAttribute(params string[] requiredRoles)
        _requiredRoles = requiredRoles;

    public void OnAuthorization(AuthorizationFilterContext context)
        if (!context.HttpContext.Request.Headers.TryGetValue("Authorization", out var token))
            context.Result = new UnauthorizedResult(); // 401 Unauthorized

            var (userId, sessionId, roles) = TokenService.DecryptToken(token);

            using (var db = new ApplicationDbContext())
                var session = db.TblUserLogins
                    .FirstOrDefault(ul => ul.UserId == userId && ul.SessionId == sessionId && ul.SessionExpiredDate > DateTime.UtcNow && ul.LogoutDate == null);

                if (session == null)
                    context.Result = new UnauthorizedResult(); // 401 Unauthorized

            if (_requiredRoles.Length > 0 && !_requiredRoles.Any(role => roles.Contains(role)))
                // Return 403 Forbidden if the user doesn't have the required roles
                context.Result = new StatusCodeResult(403); // 403 Forbidden

            // Store user information in HttpContext for later use
            context.HttpContext.Items["UserId"] = userId;
            context.HttpContext.Items["Roles"] = roles;
            context.Result = new UnauthorizedResult(); // 401 Unauthorized

4. Secure Endpoints

The SecureController demonstrates how to use the CustomAuthorizeAttribute to protect endpoints.

public class SecureController : ControllerBase
    [CustomAuthorize("Admin")] // Requires "Admin" role
    public IActionResult AdminEndpoint()
        return Ok("Welcome, Admin!");

    [CustomAuthorize("User")] // Requires "User" role
    public IActionResult UserEndpoint()
        return Ok("Welcome, User!");

5. Swagger Configuration

Configure Swagger to include support for the Authorization header.

builder.Services.AddSwaggerGen(options =>
    options.SwaggerDoc("v1", new OpenApiInfo { Title = "CustomRoleBasedAuthorization", Version = "v1" });

    // Add support for the Authorization header in Swagger
    options.AddSecurityDefinition("ApiKey", new OpenApiSecurityScheme
        Description = "Custom Authorization header using an API key. Example: \"Authorization: <your-key>\"",
        Name = "Authorization",
        In = ParameterLocation.Header,
        Type = SecuritySchemeType.ApiKey,
        Scheme = "ApiKey"

    options.AddSecurityRequirement(new OpenApiSecurityRequirement
            new OpenApiSecurityScheme
                Reference = new OpenApiReference
                    Type = ReferenceType.SecurityScheme,
                    Id = "ApiKey"

6. Register Services in Program.cs

Register the AuthService and UserService in the dependency injection container.


Now You Can Run, Test, and Enjoy Coding!

With everything set up, you’re ready to run the application, test the endpoints, and see your custom role-based authorization system in action. Use tools like Swagger or Postman to interact with your API and verify that the authentication and authorization logic works as expected.

Explore the Source Code

If you'd like to dive deeper into the implementation, feel free to explore the complete source code on GitHub. You can find the repository here:

🔗 CustomRoleBasedAuthorization on GitHub

Feel free to clone the repository, experiment with the code, and adapt it to your own projects. If you find it helpful, don’t forget to give it a ⭐️ on GitHub!

Happy coding! 🚀

This content originally appeared on DEV Community and was authored by Sann Lynn Htun

Print Share Comment Cite Upload Translate Updates

Sann Lynn Htun | Sciencx (2025-01-21T19:13:06+00:00) Building a Custom Role-Based Authorization System in ASP.NET Core. Retrieved from

" » Building a Custom Role-Based Authorization System in ASP.NET Core." Sann Lynn Htun | Sciencx - Tuesday January 21, 2025,
Sann Lynn Htun | Sciencx Tuesday January 21, 2025 » Building a Custom Role-Based Authorization System in ASP.NET Core., viewed ,<>
Sann Lynn Htun | Sciencx - » Building a Custom Role-Based Authorization System in ASP.NET Core. [Internet]. [Accessed ]. Available from:
" » Building a Custom Role-Based Authorization System in ASP.NET Core." Sann Lynn Htun | Sciencx - Accessed .
" » Building a Custom Role-Based Authorization System in ASP.NET Core." Sann Lynn Htun | Sciencx [Online]. Available: [Accessed: ]
» Building a Custom Role-Based Authorization System in ASP.NET Core | Sann Lynn Htun | Sciencx | |

Please log in to upload a file.

There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.