Custom Authorization

CustomAuthorizeFilter.cs

using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Authorization.Policy;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Authorization;
using Microsoft.AspNetCore.Mvc.Filters;
using Microsoft.Extensions.DependencyInjection;

namespace CustomAuthNetCore20.Authorization
{
    public class CustomAuthorizeFilter : AuthorizeFilter
    {
        public CustomAuthorizeFilter(AuthorizationPolicy policy) : base(policy) { }

        public CustomAuthorizeFilter(IAuthorizationPolicyProvider policyProvider, IEnumerable<IAuthorizeData> authorizeData) : base(policyProvider, authorizeData) { }

        public CustomAuthorizeFilter(IEnumerable<IAuthorizeData> authorizeData) : base(authorizeData) { }

        public CustomAuthorizeFilter(string policy) : base(policy) { }

        public override async Task OnAuthorizationAsync(AuthorizationFilterContext context)
        {
            if (context == null)
            {
                throw new ArgumentNullException(nameof(context));
            }

            var effectivePolicy = Policy;
            if (effectivePolicy == null)
            {
                if (PolicyProvider == null)
                {
                    throw new InvalidOperationException($"An {nameof(AuthorizationPolicy)} cannot be created without a valid instance of {nameof(IAuthorizationPolicyProvider)}.");
                }

                effectivePolicy = await AuthorizationPolicy.CombineAsync(PolicyProvider, AuthorizeData);
            }

            if (effectivePolicy == null)
            {
                return;
            }

            var policyEvaluator = context.HttpContext.RequestServices.GetRequiredService<IPolicyEvaluator>();

            var authenticateResult = await policyEvaluator.AuthenticateAsync(effectivePolicy, context.HttpContext);

            // Allow Anonymous skips all authorization
            if (context.Filters.Any(item => item is IAllowAnonymousFilter))
            {
                return;
            }

            var authorizeResult = await policyEvaluator.AuthorizeAsync(effectivePolicy, authenticateResult, context.HttpContext, context);

            if (authorizeResult.Challenged)
            {
                // Return custom error
                context.Result = new CustomUnauthorizedResult("Authorization failed.");
            }
            else if (authorizeResult.Forbidden)
            {
                context.Result = new ForbidResult(effectivePolicy.AuthenticationSchemes.ToArray());
            }
        }
    }
}

CustomError.cs

namespace CustomAuthNetCore20.Authorization
{
    public class CustomError
    {
        public string Error { get; set; }

        public CustomError(string message)
        {
            Error = message;
        }
    }
}

CustomUnauthorizedResult.cs

using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Newtonsoft.Json;

namespace CustomAuthNetCore20.Authorization
{
    public class CustomUnauthorizedResult : ObjectResult
    {
        public CustomUnauthorizedResult(string message)
            : base(null)
        {
//            ContentTypes.Add("application/json");
            StatusCode = StatusCodes.Status401Unauthorized;
            Value = JsonConvert.SerializeObject(new CustomError(message));
        }
    }
}

Startup.cs

// ...

            services.AddMvc(options =>
            {
                // All endpoints need authentication
                // Custom auth filter
                options.Filters.Add(new CustomAuthorizeFilter(new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build()));
            });

// ...