in my current web application, I authenticate a user with the claim "customRole" (plus its value) and use the attribute "Authorize" to allow/deny access to actions. All works well until the user as more than one claim of the same type, the access gets denied all the time and when debugging I noticed that only one claim was created for the type "customRole" and its value is changed to a concatenated string with both values.
I was expecting two claims of the same type, but each with a different value. I'm using ASPNET.Core 3.0 with IdentityServer4 but from what is written here, IdentityServer4 is not the problem.
For example, I'm adding the claims like so on the IdentityServer side:
uClaims.Add(new Claim("customRole", "superadmin"));
uClaims.Add(new Claim("customRole", "simpleadmin"));
But when I get into the client application I get the claim like so:
customRole = ["superadmin","simpleadmin"]
This breaks all logic behind the attribute for the roles that i'm using on actions for the client application:
[Authorize(Roles = "superadmin")]
I tried following what is discussed in the previous link (here), but the problem persists.
Is there anything missing so the claims get separated instead of one merged with different values? or using the authorize in a different way that allows the array of values?
Should also mention, that I started working with Asp.NetCore, IdentityServer4 and Roles for the first time in this last month, I'm in a learning curve.
Thank you for your time, cheers
i found out the reason why. I was using on "Startup"
.AddOpenIdConnect(IdentityServerConstants.ProtocolTypes.OpenIdConnect, options =>
{
options.ClaimActions.MapUniqueJsonKey("customRole", "customRole");
}
instead of
.AddOpenIdConnect(IdentityServerConstants.ProtocolTypes.OpenIdConnect, options =>
{
options.ClaimActions.MapJsonKey("customRole", "customRole");
}
Now, all claims of the same type get separated and not concatenated as one inside the clientApp. I think i was using the wrong mapper because i copied from one of the identityServer4 quickstart tutorial (or other people examples from googling around) :) Hope, my own answer prevents others from having to loose hours to understand things work as they are supposed to :)
@Nan Yu: The correction about the RoleClaimType options solves the problem of using the type = "customRole" instead of the default, but multiple claims of the same type still get concatenated. But, from your comment i learned something new, customizing the roleClaimType, thank you for that
@Mehrdad With the configuration i'm using, the claim is not listed on the context, only claims like "nbf", "iss", "aud" etc, show up, custom ones dont show up here (dunno why). But still, i messed around and found out that it is possible, like you said, to add extra claims here, so it could be useful in future, thanks for sharing the info