5

I am using ASP.NET Core with OpenIddict, JWT, Resource Owner Grant and claims-based role. Authorization without enforcing any policy is working as expected.

I want to enforce authorisation policies on some controllers and action methods. All my users have role claims, so I did the following in the Startup:

services.AddAuthorization(options =>
{
    options.AddPolicy("Admin", p => p.RequireClaim("Admin");
});

And I did the following on the action method:

[Authorize("Admin")]
public async Task<string> Index()
{
    return "Yes";
}

Without "Admin", I was able to access the resource, after adding "Admin" I can't.

I am assuming that because my generated JWT Token doesn't have the user claims.

  • Should my JWT contain the user role claim for the token to work?
  • How can I send the role claims using OpenIddict?
Adam
  • 3,872
  • 6
  • 36
  • 66

1 Answers1

4

You need to request the roles scope for the roles to be copied in the access token (it may change in the future).

POST /connect/token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded

grant_type=password&username=johndoe&password=A3ddj3w&scope=roles
Kévin Chalet
  • 39,509
  • 7
  • 121
  • 131
  • I did this and it returned the roles to the token. But then I had to modify my policy to Require Roles rather than claims, which wasn't my intention, but it works now, thank you. – Adam Jul 24 '16 at 08:32