Identityserver4: Claims in HttpContext.User
Hi,
We have an MVC client, Idserver and an API. We want to protect an action in the MVC client controller based on an authorization filter. Upon inspecting the claim type role shows [ "role1", "role2", role3"]
A part of the startup of the MVC client looks like:
services.AddAuthorization(options => {
options.AddPolicy("Policy1", policy1 =>
{
policy1.RequireAuthenticatedUser();
policy1.RequireClaim("role", "role1");
policy1.RequireClaim("role", "role2");
policy1.RequireClaim("role", "role3");
policy1.Build();
});
});
The protected action in the controller has this attribute [Authorize (Policy = "Policy1")].
Of course this does not match the array of role claims, however in the API the same code/policy is used and the claims are seperated into multiple claims. The policy matches here, as expected. In the user.cs we just add a new claim for each role.
{"role": "role1"} {"role": "role2"} {"role":"role3"}
We're not sure this could be related to the access token validation library, maybe dotnet related, the identityserver or even us?
user1336
All 3 comments
That's a bug in Microsoft's OpenID Connect middleware - will be fixed in ASP.NET Core 1.1 - maybe you need to move to the preview that got released this week.
leastprivilege
on 27 Oct 2016
Works!
user1336
on 27 Oct 2016
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![lock[bot] picture](https://avatars1.githubusercontent.com/in/6672?v=4&s=40)
lock[bot]
on 15 Jan 2020
Related issues
osmankibar
路
3Comments
wangkanai
路
3Comments
leastprivilege
路
3Comments
brockallen
路
3Comments
leksim
路
3Comments
Most helpful comment
That's a bug in Microsoft's OpenID Connect middleware - will be fixed in ASP.NET Core 1.1 - maybe you need to move to the preview that got released this week.