Lets say I have a working implementation of authentication and authorization in an ASP.NET Core MVC app, and on an action I have [Authorize(Roles = "Admin")] attribute. I have just logged in and I'm about to call that action.
When that action is called, where does the [Authorize(Roles = "Admin")] attribute look to see if the user has the role of "Admin"? Where is "Admin" stored?
I recently found out the answer to my question. Koppa Péter's answer was the closest here, but it turns out I needed more detail.
The [Authorize(Roles = "Admin")] attribute checks the values of the Role claims inside the encoded access token and compares it to "Admin".