Razor Pages authorization conventions in ASP.NET Core

By Luke Latham

One way to control access in your Razor Pages app is to use authorization conventions at startup. These conventions allow you to authorize users and allow anonymous users to access individual pages or folders of pages. The conventions described in this topic automatically apply authorization filters to control access.

View or download sample code (how to download)

Require authorization to access a page

Use the AuthorizePage convention via AddRazorPagesOptions to add an AuthorizeFilter to the page at the specified path:

services.AddMvc()
    .AddRazorPagesOptions(options =>
    {
        options.Conventions.AuthorizePage("/Contact");
        options.Conventions.AuthorizeFolder("/Private");
        options.Conventions.AllowAnonymousToPage("/Private/PublicPage");
        options.Conventions.AllowAnonymousToFolder("/Private/PublicPages");
    });

The specified path is the View Engine path, which is the Razor Pages root relative path without an extension and containing only forward slashes.

An AuthorizePage overload is available if you need to specify an authorization policy.

Require authorization to access a folder of pages

Use the AuthorizeFolder convention via AddRazorPagesOptions to add an AuthorizeFilter to all of the pages in a folder at the specified path:

services.AddMvc()
    .AddRazorPagesOptions(options =>
    {
        options.Conventions.AuthorizePage("/Contact");
        options.Conventions.AuthorizeFolder("/Private");
        options.Conventions.AllowAnonymousToPage("/Private/PublicPage");
        options.Conventions.AllowAnonymousToFolder("/Private/PublicPages");
    });

The specified path is the View Engine path, which is the Razor Pages root relative path.

An AuthorizeFolder overload is available if you need to specify an authorization policy.

Allow anonymous access to a page

Use the AllowAnonymousToPage convention via AddRazorPagesOptions to add an AllowAnonymousFilter to a page at the specified path:

services.AddMvc()
    .AddRazorPagesOptions(options =>
    {
        options.Conventions.AuthorizePage("/Contact");
        options.Conventions.AuthorizeFolder("/Private");
        options.Conventions.AllowAnonymousToPage("/Private/PublicPage");
        options.Conventions.AllowAnonymousToFolder("/Private/PublicPages");
    });

The specified path is the View Engine path, which is the Razor Pages root relative path without an extension and containing only forward slashes.

Allow anonymous access to a folder of pages

Use the AllowAnonymousToFolder convention via AddRazorPagesOptions to add an AllowAnonymousFilter to all of the pages in a folder at the specified path:

services.AddMvc()
    .AddRazorPagesOptions(options =>
    {
        options.Conventions.AuthorizePage("/Contact");
        options.Conventions.AuthorizeFolder("/Private");
        options.Conventions.AllowAnonymousToPage("/Private/PublicPage");
        options.Conventions.AllowAnonymousToFolder("/Private/PublicPages");
    });

The specified path is the View Engine path, which is the Razor Pages root relative path.

Note on combining authorized and anonymous access

It's perfectly valid to specify that a folder of pages require authorization and specify that a page within that folder allows anonymous access:

// This works.
.AuthorizeFolder("/Private").AllowAnonymousToPage("/Private/Public")

The reverse, however, isn't true. You can't declare a folder of pages for anonymous access and specify a page within for authorization:

// This doesn't work!
.AllowAnonymousToFolder("/Public").AuthorizePage("/Public/Private") 

Requiring authorization on the Private page won't work because when both the AllowAnonymousFilter and AuthorizeFilter filters are applied to the page, the AllowAnonymousFilter wins and controls access.

See also