/// <summary> /// Determines whether the current <see cref="System.Security.Principal.IPrincipal"/> is authorized to access the requested resources. /// </summary> /// <param name="httpContext">The HTTP context.</param> /// <returns>Returns true if the current user is authorized to access the request resources.</returns> protected override bool AuthorizeCore(HttpContextBase httpContext) { var isAuthorized = false; var accessToken = httpContext.Request.Cookies["access_token"]?.Value; if (!string.IsNullOrEmpty(accessToken) && !string.IsNullOrWhiteSpace(accessToken)) { try { isAuthorized = !JwtUtil.IsExpired(accessToken); foreach (var policy in policies) { // demand the permission new PolicyPermission(PermissionState.Unrestricted, policy, httpContext.User).Demand(); } } catch (Exception e) { isAuthorized = false; Trace.TraceError($"Unable to decode token: {e}"); } } return(base.AuthorizeCore(httpContext) && isAuthorized); }