The Authorize attribute doesn't know anything about ASP.NET Identity, or any other identity system. It simply works with IPrincipal
and IIdentity
interfaces that the MVC framework sets up for you.
ASP.NET Identity uses a ClaimsIdentity
object, which implements IIdentity
.
So the Framework, via the UserManager creates an authentication ticket. When a page loads, it loads this authentication ticket, decrypts it, and creates the necessary principal and identity and role objects.
Then, the Authorize attribute just basically checks User.IsInRole("Blah")
when you say
[Authorize(Roles="Blah")]