What is the use of Authorize Attribute in C# Asp.Net webAPI?

The Authorize attribute in C# ASP.NET Web API is a built-in authorization filter that controls access to API endpoints. It ensures that only authenticated and authorized users can access specific resources, returning HTTP 401 Unauthorized status for unauthenticated requests.

Authorization occurs before the controller action method executes, giving you control over who can access your API resources. This attribute can be applied at different levels to provide flexible access control.

Syntax

Following is the basic syntax for applying the Authorize attribute −

[Authorize]
public class ControllerName : ApiController {
   // Controller actions
}

[Authorize]
public IHttpActionResult ActionName() {
   // Action logic
}

You can also specify roles or users −

[Authorize(Roles = "Admin")]
[Authorize(Users = "john,jane")]

Application Levels

Global Level

Apply authorization to all Web API controllers by adding the filter to the global filter list −

using System.Web.Http;

public static class WebApiConfig {
   public static void Register(HttpConfiguration config) {
      config.Filters.Add(new AuthorizeAttribute());
      
      config.Routes.MapHttpRoute(
         name: "DefaultApi",
         routeTemplate: "api/{controller}/{id}",
         defaults: new { id = RouteParameter.Optional }
      );
   }
}

Controller Level

Restrict access for all actions in a specific controller −

using System.Web.Http;

[Authorize]
public class StudentsController : ApiController {
   public IHttpActionResult Get() {
      return Ok("All students data");
   }
   
   public IHttpActionResult Get(int id) {
      return Ok($"Student with ID: {id}");
   }
   
   public IHttpActionResult Post() {
      return Ok("Student created");
   }
}

Action Level

Apply authorization to specific action methods only −

using System.Web.Http;

public class StudentsController : ApiController {
   // Public access - no authorization required
   public IHttpActionResult Get() {
      return Ok("Public student list");
   }
   
   // Requires authorization
   [Authorize]
   public IHttpActionResult Post() {
      return Ok("Student created successfully");
   }
   
   // Requires admin role
   [Authorize(Roles = "Admin")]
   public IHttpActionResult Delete(int id) {
      return Ok($"Student {id} deleted");
   }
}

Role-Based Authorization

You can restrict access based on user roles or specific users −

using System.Web.Http;

public class AdminController : ApiController {
   [Authorize(Roles = "Admin,Manager")]
   public IHttpActionResult GetReports() {
      return Ok("Confidential reports data");
   }
   
   [Authorize(Users = "john@example.com")]
   public IHttpActionResult GetUserData() {
      return Ok("User-specific data");
   }
   
   [Authorize(Roles = "Admin")]
   public IHttpActionResult DeleteUser(int id) {
      return Ok($"User {id} deleted by admin");
   }
}

Allowing Anonymous Access

Use AllowAnonymous attribute to bypass authorization for specific actions −

using System.Web.Http;

[Authorize]
public class ProductsController : ApiController {
   // Requires authorization
   public IHttpActionResult Get() {
      return Ok("Protected products list");
   }
   
   // Bypasses authorization even though controller has [Authorize]
   [AllowAnonymous]
   public IHttpActionResult GetPublic() {
      return Ok("Public products list");
   }
}

Authorization vs Authentication

Common Use Cases

• API Security: Protect sensitive endpoints from unauthorized access

• Role-based Access: Different access levels for admins, users, and guests

• Resource Protection: Ensure users can only access their own data

• Premium Features: Restrict certain features to paid subscribers

Conclusion

The Authorize attribute is essential for securing ASP.NET Web API endpoints. It provides flexible access control at global, controller, and action levels, supporting role-based and user-specific authorization. Combined with proper authentication, it ensures that only authorized users can access protected resources.