I am using ASP.NET Core with OpenIddict, JWT, Resource Owner Grant and claims-based role. Authorization without enforcing any policy is working as expected.
I want to enforce authorisation policies on some controllers and action methods. All my users have role claims, so I did the following in the Startup:
services.AddAuthorization(options =>
{
options.AddPolicy("Admin", p => p.RequireClaim("Admin");
});
And I did the following on the action method:
[Authorize("Admin")]
public async Task<string> Index()
{
return "Yes";
}
Without "Admin", I was able to access the resource, after adding "Admin" I can't.
I am assuming that because my generated JWT Token doesn't have the user claims.
You need to request the roles scope for the roles to be copied in the access token (it may change in the future).
POST /connect/token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=password&username=johndoe&password=A3ddj3w&scope=roles