How to fully implement authorization in asp.net core web api with entity framework core?

I have implemented authentication for my .net core web api with entity framework core v6.0 but now I am stuck in the authorization part.
I want to implement it in that way that I will read some Policies from my mssql database and then in my RequirementHandler to compare those Policies if the assigned policy to a method i.e: [Authorize(Policy="UserListRead")] it exists in my mssql database or not.
If yes, then return result 200, if not then result 401.

My code is like this:

Program.cs:

builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("UserListRead", policy => policy.Requirements.Add(new arkiva_be.Services.User_Service.UserListRequirement()));
});
builder.Services.AddScoped<Microsoft.AspNetCore.Authorization.IAuthorizationHandler, UserListRequirementHandler>();

UserListReadRequirement.cs

public class UserListReadRequirement:IAuthorizationRequirement
{
    public readonly DataContext _context;
    
    
}
public class UserListRequirementHandler : AuthorizationHandler<UserListReadRequirement>
{
    private readonly DataContext _context;
    private readonly IHttpContextAccessor _httpContextAccessor;
    private readonly IAuthService _authService;
    private readonly Microsoft.AspNetCore.Identity.RoleManager<Roles> _roleManager;
    private readonly IConfiguration _configuration;
    private readonly Microsoft.AspNetCore.Identity.UserManager<UserArkiva> _userManager;

    public UserListRequirementHandler(DataContext context, IHttpContextAccessor httpContextAccessor, 
                                      IAuthService authService, 
                                      Microsoft.AspNetCore.Identity.RoleManager<Roles> roleManager,
                                      IConfiguration configuration,
                                      Microsoft.AspNetCore.Identity.UserManager<UserArkiva> userManager
                                      )
    {
        _context = context;
        _httpContextAccessor = httpContextAccessor;
        _authService = authService;
        _roleManager = roleManager;
        _configuration = configuration;
        _userManager = userManager;
    }

    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, UserListRequirement requirement)
    {
        
        HttpContext httpContext = _httpContextAccessor.HttpContext;
        string dto_username = _authService.GetUserNameFromToken(httpContext).Result.UserName;

        List<CompanyWithPrivileges> TempList = new List<CompanyWithPrivileges>();
        var cp = new CompanyWithPrivilegesMethod(_userManager,_roleManager, _configuration,_context);

        TempList = cp.GetCompaniesWithPrivileges(dto_username);


        return Task.CompletedTask;
    }
}

Now in TempList I get to access all the privileges that the current logged in user has but I cannot compare it with the "UserListRead" policy because I don't know where to access it.
UserListRequirement requirement parameter is always null.

I think I am missing something in program.cs because I have +50 privileges and I don't think it is a good idea to add them all like policies.
Also I am currently adding a claim in my user token authClaims.Add(new Claim("UserListRead", "UserListRead")); but do I really need it? If I need this one, then I will need also 50+ other claims and then my token would be very long...

Any help would be much appreciated.

> I don't think it is a good idea to add them all like policies

I agree with this. From your description, You have 50+ privileges, If you create policy for each privilege, You need to register a lot of policies in your Program.cs. So in my opinion, You can custom IAuthorizationFilter and receive a dynamic parameter. In this case, You don't need to register so many policies for each privilege, You just need to pass different privilege to your own IAuthorizationFilter.

For Example, User has a claim to save his age. In my controller, Each action has it's own age standard, Action can only be accessed when the user's age is greater than the age standard of the action. So here i don't create policies for each age standard, I custom IAuthorizationFilter:

public class CustomAuthorizeAttribute : AuthorizeAttribute, IAuthorizationFilter
    {
        private readonly int Age;
        public CustomAuthorizeAttribute(int age)
        {

            Age = age;

        }
        void IAuthorizationFilter.OnAuthorization(AuthorizationFilterContext context)
        {
            var userage = Int32.Parse(context.HttpContext.User.FindFirstValue("Age"));


            //You can also get your dbcontext here.
            //var dbcontext = context.HttpContext.RequestServices.GetService(typeof(DatabaseContext)) as DatabaseContext;
            
            if (userage<Age) {
                context.Result = new ForbidResult();
            }
        }
    }

Then in action, I only need to pass parameter to this attribute

[CustomAuthorize(xxx)]

You can also refer to this Custom Authorization Policy Providers using IAuthorizationPolicyProvider in ASP.NET Core.