This is a follow-up on Kevin's question in class about whether it's possible to distinguish different types of "Access Denied" and display different Access Denied pages accordingly.

I've read some documentation and couldn't find anything on this. After some thinking, I'm fairly confident that ASP.NET Core does not provide a way to do it, because it doesn't make much sense to do so. Access Denied is Access Denied, and that's basically the end of the story -- there are really no different "Access Denied". And you usually do not want to tell the user the reason why the access is denied because it may reveal more information to attackers -- for example, if you fail to log into a site, the site usually just say "authentication failed" instead of telling you whether it's the username or the password that was wrong.

Note that this is different from exception handling where you do want to show different pages for different exceptions. ASP.NET Core in Action covers this in Chapter 3.3 and 13.2.