We have 60-70 claims at the moment for different thing that users can do throughout the API endpoints. That number will grow as we grow our API. We want to decorate each endpoint with the required claim.
Now, we have 2 options:
- Create custom
Authorizeattribute that will check for particular claim in logged identity - Create and use as many policies as we have claims (policy based authorization)
I've read on several place that MS discourages developers doing custom Authorize attribute.
On the other hand, are policies really meant to be used in a way that you end up with 100+ of them?
Can't find any docs related to this specific thing.