I'm implementing .NET Core Auth, which I'm new to.
I know that you can use an Authorisation Builder to configure the MVC application to
RequireAuthentication, so that all request must be authenticated unless the
AllowAnonymous attribute is used.
I'm currently wondering whether you are you able to take a similar approach to authorisation. That is, configure the application to refuse the request unless a policy has explicitly passed?
My API has numerous endpoints that require elevated privileges, and it seems safer if all endpoints by default are locked down unless a policy has passed. As far as I can tell, out of the box with the above authorisation configuration in MVC, if you are an authenticated user, you will be able to use any endpoint that doesn't have any authorisation added to it.
Is this possible? Or am I perhaps over complicating the authorisation process here?