I have an ASP.NET Core client application that uses an IdentityServer4 as login server. The client can login decorating the controller with the attribute [Authorize] but if I use the attribute with roles [Authorize(Roles = "test")] I get an Access-Denied
However, when I parse the JWT I can see that the user has assigned the correct role.
{
"nbf": xxx,
"exp": xxx,
"iss": "xxx",
"aud": [
"xxx",
"xxx"
],
"client_id": "xxx",
"sub": "xxx",
"auth_time": xxx,
"idp": "xxx",
"email": "xxx",
"role": "test", <-------------------------------
"scope": [
"openid",
"profile",
"xxx",
"xxx"
],
"amr": [
"xxx"
]
}
Even so the user role is present in the access-token it is not recognized as role, since it is part of the user-claims.
For example User.IsInRole("test") returns false.
I solved the issue by creating a policy to use the RequireClaim and then set the Authorize attribute to use the policy, such as [Authorize(Policy = "RequireUserOnly")]