ptsneves
commented
4 years ago @mobinseven I agree that this information is redundant but for the reason that it is a misleading documentation, as you further elaborate.
This is my understanding after working with both forms of authorisation. Policy based authorisation is not the same as claims based, although you can make policies based purely on claims. A policy can have authorisation handlers that read claims or can do claim-unrelated logic. They also need to be registered before they are used, and the registration is not often done in the same place as the policy is used. So for one-offs claim checks, it is a very heavy requirement and clutters the code base.
The absence of this understanding led me to use policy based authorisation which is quite more complicated and requires more infrastructure, when actually i just needed to check for claims. To check for claims, the logic is simpler and can be done just with the user principal and HasClaim. I even made a tag helper that just check for the claim.
Am I fundamentally misunderstanding claims and policy authorisation? [Edit just found an answer in SO with 400+ votes where the same argument is made]
mobinseven
This page is totally redundant as RequireClaim is part of policy based authorization. When you say "Claims-based authorization" alongside "Policy-Based" or "Role-Based" you must mean something similar to them (for example Authorize(Claim = ... ) ); Not just something that is a policy on its very nature. Policies are strict and static. Just like the example given in this page:"EmployeeOnly". It is not a claim. It is a policy! Claims are more dynamic and flexible; Much more diverse in type and value than what some static "Policy = " can handle. In my opinion "Claim-based authorization" is still an unfilled gap in this framework.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.