ASP.NET: What is the purpose of IAuthorizationService

Question

I am trying to understand the ASP.NET policy-based authorization mechanism, and I understood that I need to do the following:

1. Set up a policy
2. Assign requirements to that policy
3. Define authorization handlers to these requirements which perform the actual validation (And return whether the requirements were fullfilled or not)
4. Add the authorization handlers to the dependency injection mechanism

However, reading the ASP.NET documentation, I understand I might need to set up an IAuthorizationService as well. I failed to understand why that is needed for from the ASP.NET documentation.

Do I have to set one up? What should it do? Is that an alternative to the policy and authorization handlers I am setting up or a required addition to them?

Answer 1

U can override IAuthorizationService to take control of full authorization logic in your application. By default, IAuthorizationService is responsible for validation of Policy- Claim- or Role-based ruled, defined in AuthorizationOptions.

IAuthorizationService is usually being invoked in IAsyncAuthorizationFilter (which MVC adds automatically once u mark Controller or Action with [Authorize] attribute).