I’m working on it!

I know! I can’t figure out why people don’t talk about it more.

I've been avoiding your comment for long enough... You could use the IClaimsTransformation interface to "Decorate" or "Transform" a ClaimsPrincipal, in a very similar way to what I describe in my video. I presented the option of using middleware because a while back I read Brock Allen's blog post on the transform occurring more than once per request. However, I recently learned that Microsoft added a HashSet to the AuthenticationService to cache the result of the transform, so it effectively only gets transformed once. github.com/dotnet/aspnetcore/commit/814a37548b6adae2f846eae3144e8f37c1388520 That makes IClaimsTransformation much more compelling. At the end of the day, both work. I think the differentiator between the two options are...Do you need the HTTPContext in the decoration process? Do you need to implement your own caching of ClaimsPrincipal data for performance reasons, if so where and how? I still think there could be a slight performance advantage to using the middleware approach, but I don't have data to support that.

So nice of you to say. I appreciate it.

Thank you! I want to make one or two more videos on Authorization, so I’m working on cleaning up the source code and adding a few more examples. Glad you liked the content!

Yep. Caching could be a good option. Typically application specific claims don’t change very often. That would reduce the round trips and latency.

To me...They are completely different, to Microsoft, they are the same thing. My notion of a Role would be the personal assistant to a CEO, or the CEO. It's a job that gets filled by a user. I don't want to code rights to an individual user, but I would to a role. My notion of a group would be a set of users. That set of users could all be given the same right, or the group could be assigned to a role. An example would be... Role = Online Content Reviewer, and there could be a group of users who fill that role. Microsoft doesn't support relationships between users, roles, groups, and tenants. I think it makes managing authorization much easier.