• A single page application based on Angular 7
  • A Backend based on .NET Core WebAPI.

I am currently considering best practices to cover authentication and authorization requirement of these kind of application.

Client Side Authorization

  • SPA takes JWT after login.
  • Authorization of routes will be handled by Routing guard in Angular. For example, a user has reportviewer role, user will be allowed the routes to see report-related components.
  • Menu items will be visible according to the information on JWT. For example, a user has reportviewer role, user will see report-related menu items.

Server Side

JWT will contain some of the authorization information.(For example Role Claims) Authorize attributes will be used for authorization of WebAPIs.

I have developed a user edit page to define a user and assign required roles.


Authorization of menu items, routing guards and WebAPIs could be defined inconsistently by developers. How can I build consistent authorization framework to solve this problem for this kind of application?

Thanks in advance.


How can I build consistent authorization framework to solve this problem for this kind of application?

The answer is to rely on an external authorization framework. There are several options out there to achieve that. Some are .NET-specific, some are general-purpose.

As a whole, this field is known as Attribute-Based Access Control (ABAC). What ABAC gives you is:

  • an architecture
  • a policy language to express your authorization in (e.g. “managers can view documents in their departments“)
  • a request / response protocol in which to send Permit / Deny authorization requests.

ABAC Architecture

ABAC / XACML Architecture & Flow

This picture highlights how ABAC works: you have the notion of an interceptor or enforcement point (PEP) which intercepts the flow between the user and the app. This enforcement point will check whether the user can get access to whatever it is they want to get access to (data, an API call, a widget…). The idea is that the PEP is local to what you are protecting but the decision making is centralized and that is what will give you consistent authorization. You can have PEPs for SPA, for APIs… And they can enforce the same authorization policies consistently.

The PDP or Policy Decision Point is the one that processes the authorization requests and evaluates them against a set of policies you would have previously written. The language policies are written is typically  or .

The PIP (Policy Information Point) is an abstract representation of your data sources and user directories (AD, DB…) where you might store additional information about the users and resources. They can be useful to help make the right decision.


You can either go for open-source implementations e.g. AuthZForce or commercial implementations e.g. Axiomatics (where I work). .NET Core also has policy-based authorization but that won’t help you with your SPA.