Why Authorize Attribute policy parameter are restricted to const?

Question

Why Authorize Attribute policy parameter are restricted to const "compile time" ?

because this restriction disallow to use string concatenation like the below example , There is any reason to restrict it.

 [Authorize($"{Privilege1},{Privilege2}")]
 [HttpPost()]
 public async Task<IActionResult> Testpost()
 {
        return Ok();
 }

Answer 1

Yes, sadly you can't use string interpolation in constants and you have to use constants in attributes like Authorize. Interpolated strings are interpolated at runtime and constants need to be created at compile time.

You can however concatenate the strings in this way, which the compiler will be able to make into constant:

 private const string privilege1 = "Privilege1";
 private const string privilege2 = "Privilege2";

 [Authorize(privilege1 + "," + privilege2)]
 [HttpPost()]
 public async Task<IActionResult> Testpost()
 {
        return Ok();
 }

Answer 2

The attribute parameter has to be known in the compile time to put it into the assembly metadata. That's how attributes work. In your case, the ${} means the value is only known at the run time.

It's not about concatenation, you can safely have "a" + ",b" there which clearly is a concatenation but still uses string values known at compile time.

Try to create your own security policy or inherit the AuthorizeAttribute. In your custom logic, you can refer to any roles, static or dynamic.