Role Based authorization not working after JWT is added to .Net Identity
After adding Jwt authentication to the Web API, it seems okay if I do not specify roles in the Weather Forecast Controller method. After I specified Roles, only JWT authorisation works. I tried various things, transforming claims and others, but nothing helped. When .net identity authentication is used, it results in 401 Unauthorized.
[Full Source code][https://drive.google.com/file/d/1N57j7NYkH-d_pS3cYAEU_yTVZF47JqcV/view?usp=drive_link]
Startup Class
public class Program
{
public static void Main(string[] args)
{
var builder = WebApplication.CreateBuilder(args);
ConfigurationManager configuration = builder.Configuration;
// Add services to the container.
// For Entity Framework
builder.Services.AddDbContext<ApplicationDbContext>(options => options.UseSqlServer(configuration.GetConnectionString("ConnStr")));
// For Identity
builder.Services.AddIdentity<IdentityUser, IdentityRole>()
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddClaimsPrincipalFactory<AppClaimsPrincipalFactory>()
.AddDefaultTokenProviders();
// Adding Authentication
builder.Services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
// Adding Jwt Bearer
.AddJwtBearer(options =>
{
options.SaveToken = true;
options.RequireHttpsMetadata = false;
options.TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = true,
ValidateAudience = true,
ValidAudience = configuration["JWT:ValidAudience"],
ValidIssuer = configuration["JWT:ValidIssuer"],
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configuration["JWT:Secret"]))
};
});
builder.Services.ConfigureApplicationCookie(options =>
{
options.Events.OnRedirectToLogin = context =>
{
context.Response.Headers["Location"] = context.RedirectUri;
context.Response.StatusCode = 401;
return Task.CompletedTask;
};
});
builder.Services.AddAuthorization(options =>
{
options.DefaultPolicy = new AuthorizationPolicyBuilder("Identity.Application", JwtBearerDefaults.AuthenticationScheme)
.RequireAuthenticatedUser()
.Build();
});
builder.Services.AddControllers();
// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();
var app = builder.Build();
// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
{
app.UseSwagger();
app.UseSwaggerUI();
}
app.UseRouting();
app.UseHttpsRedirection();
// Authentication & Authorization
app.UseAuthentication();
app.UseAuthorization();
app.MapControllers();
app.Run();
}
}
Weather Forecast Controller
[ApiController]
[Route("[controller]")]
public class WeatherForecastController : ControllerBase
{
private static readonly string[] Summaries = new[]
{
"Freezing", "Bracing", "Chilly", "Cool", "Mild", "Warm", "Balmy", "Hot", "Sweltering", "Scorching"
};
private readonly ILogger<WeatherForecastController> _logger;
public WeatherForecastController(ILogger<WeatherForecastController> logger)
{
_logger = logger;
}
[HttpGet, Authorize(Roles = "Admin")]
public IEnumerable<WeatherForecast> Get()
{
var identity = HttpContext.User.Identity as ClaimsIdentity;
return Enumerable.Range(1, 5).Select(index => new WeatherForecast
{
Date = DateOnly.FromDateTime(DateTime.Now.AddDays(index)),
TemperatureC = Random.Shared.Next(-20, 55),
Summary = Summaries[Random.Shared.Next(Summaries.Length)]
})
.ToArray();
}
}
Solution
I tested your codes. The problem is you are using jwt authentication. Which require Authorize header with value Bearer ...token... in the request to pass the api.
But on the other hand, you are tryinng to pass the authentication with asp.net identity cookie. "JWT" and "asp.net identity cookie" are different authentication schemes. Using this cookie will never pass an "JWT" protected api.
This response means you have cookie but trying to pass it using "bearer"
An easy way to fix this is use this authorize attribute to specify the api use "asp.net identity" scheme
[Authorize(AuthenticationSchemes = "Identity.Application", Roles = "Admin")]
More over if you want this api can be pass by both "jwt" and "cookie". Modify like below:
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("Jwt_Or_AspIdentiyCookie", policy =>
{
policy.AuthenticationSchemes.Add(JwtBearerDefaults.AuthenticationScheme);
policy.AuthenticationSchemes.Add("Identity.Application");
policy.RequireAuthenticatedUser();
});
});
Then in the controller use
[Authorize(policy: "Jwt_Or_AspIdentiyCookie", Roles = "Admin")]
- Not much difference between ASP.NET Core sync and async controller actions
- Html number input handling in blazor
- Command dotnet ef not found
- Official documentation for JwtBearer middleware/configuration via appsettings.json?
- There was no runtime pack for Microsoft.AspNetCore.App available for the specified RuntimeIdentifier 'browser-wasm'
- Azure Blob Upload not working in ASP .Net Core Application
- Page has a binding model issue, along with some strange behaviour in the OnPost method
- The constraint reference 'string' could not be resolved to a type. (netcoreapp3.0)
- How to detect how long since a user's payment failed?
- How to model a target class for receiving a JSON HTML response in .NET 5
- BindRequired on DateTime
- How to override ASP.NET Core configuration array settings using environment variables
- How to disable warnings at solution level in .NET projects
- Get Current User in a component
- Frontend not available when front and back on same Web App Azure
- Dependency injection in custom attribute
- Blazor: Reference to child page displayed by RenderFragment Body
- How to predefine subscription prices and trial period?
- EF Core Many to Many Join Table with Extra Properties Not Working
- .net-core middleware return blank result
- Unable to resolve service for type 'System.String' while attempting to activate 'MyService'
- Publishing web api with swagger on IIS
- "Authorize" button not showing in Swagger UI (.NET 9)
- Migrate to .NET 9, Bad request (400) on controllers and API methods
- Add custom JwtBearerHandler to "AddMicrosoftIdentityWebApi" in .net7
- Stripe version 2 API?
- How to get view file content as plain string
- startup exception for aspnet core worker docker container attempting to set secret from env variable in Kubernetes
- Cannot resolve scoped service 'xx.IEnumerable`1[xx.IDbContextOptionsConfiguration`1[xx.ExampleDbContext]]...' after upgrading from .NET 8 to .NET 9
- Any luck in using AddMicrosoftIdentityWebApp in combination with IdentityServer4?