Security for users in application is typically broken down into two parts – authentication and authorization. It turns out that authentication is the easy part, and it’s authorization that’s the real challenge. This might sound daunting, but since every application is different there is no single recipe for how authorization should be implemented. This session discusses a couple of approaches and pitfalls to authorization, and uses the ASP.NET Core authorization API as an example of a decent abstraction layer for clean authorization for your applications. We will discover that that regardless of your approach, there is no one size that fits all, and that’s why it important to understand your options.