asp.net-coreasp.net-identityblazorrolesasp.net-roles

User assigned roles remain unrecognised


I am trying to introduce an admin account into my project. I have updated the Startup.cs file to use roles and have added Admin and Standard account inside AspNetRoles and assigned a user using their UserID an admin. The relevant [Authorize(Role = "Admin")] has also been added to the page but the admin account remains denied access. I can't seem to find out what is causing this to not be recognised, I have searched similar posts which suggested implementing

.AddRoleManager<RoleManager<IdentityRole>>()

However, this did not seem to help either. Would appreciate any insight in resolving this issue. Using Blazor wasm. Thanks in advance.

Startup.cs

public class Startup { public Startup(IConfiguration configuration) { Configuration = configuration; }

    public IConfiguration Configuration { get; }

    // This method gets called by the runtime. Use this method to add services to the container.
    // For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddDbContext<ApplicationDbContext>(options =>
            options.UseSqlServer(
                Configuration.GetConnectionString("DefaultConnection")));

        services.AddDatabaseDeveloperPageExceptionFilter();

        services.AddDefaultIdentity<ApplicationUser>(options => options.SignIn.RequireConfirmedAccount = false)
            .AddRoles<IdentityRole>()
            .AddEntityFrameworkStores<ApplicationDbContext>();
            
        services.AddIdentityServer()
            .AddApiAuthorization<ApplicationUser, ApplicationDbContext>();

        services.AddAuthentication()
            .AddIdentityServerJwt();

        services.AddControllersWithViews();

        services.AddRazorPages();

        services.Configure<IdentityOptions>(options =>
        options.ClaimsIdentity.UserIdClaimType = ClaimTypes.NameIdentifier);

       services.AddControllers().AddNewtonsoftJson(x => x.SerializerSettings.ReferenceLoopHandling = Newtonsoft.Json.ReferenceLoopHandling.Serialize);

}

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
            app.UseMigrationsEndPoint();
            app.UseWebAssemblyDebugging();
        }
        else
        {
            app.UseExceptionHandler("/Error");
            // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
            app.UseHsts();
        }

        app.UseHttpsRedirection();
        app.UseBlazorFrameworkFiles();
        app.UseStaticFiles();

        app.UseRouting();

        app.UseIdentityServer();
        app.UseAuthentication();
        app.UseAuthorization();

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapRazorPages();
            endpoints.MapControllers();
            endpoints.MapFallbackToFile("index.html");
        });
    }
}

Program.cs

 public class Program
{
    public static void Main(string[] args)
    {
        CreateHostBuilder(args).Build().Run();
    }

    public static IHostBuilder CreateHostBuilder(string[] args) =>
        Host.CreateDefaultBuilder(args)
            .ConfigureWebHostDefaults(webBuilder =>
            {
                webBuilder.UseStartup<Startup>();
            });
}

AspNetRoles table

enter image description here

AspNetUserRoles table

enter image description here

Razor pages

@attribute [Authorize(Roles ="Admin")]

Despite the above implementations, when logging into the assigned Admin account, the message shown is

You are not authorized to access this resource.

Solution

  • Try the following...

    Change:

    services.AddIdentityServer()
            .AddApiAuthorization<ApplicationUser, ApplicationDbContext>();
    

    To:

    // Configure identity server to put the role claim into the id token 
    // and the access token and prevent the default mapping for roles in 
    // the JwtSecurityTokenHandler.
                
    services.AddIdentityServer()
                    .AddApiAuthorization<ApplicationUser, ApplicationDbContext>(options => {
                        options.IdentityResources["openid"].UserClaims.Add("role");
                        options.ApiResources.Single().UserClaims.Add("role");
                    });
                // Need to do this as it maps "role" to ClaimTypes.Role and causes issues
                JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Remove("role");