I am a fan of separating authorization logic and business logic – that’s why I favour the claims-based authorization manager approach. That’s also why I wrote the ClaimsAuthorize filter.
If you don’t want to go down the route of a full fledged authorization manager but use the scopes concept from OAuth2 (see here), here’s a simplified approach:
public class IdentityController : ApiController
/// Returns the claims of the current principal
public IEnumerable<ViewClaim> Get()
var principal = Request.GetClaimsPrincipal();
/// Update identity data
public void Put()
The [Scope] attribute is an authorization filter that simply checks for the existence of scope claims with the specified value.
That’s a really simple approach to coarse grained authorization that goes well together with access tokens coming from an (our) authorization server. You can of course mix that with an authorization manager if you like.