Thanks to newly released module; AWS Cognito is now an ASP.NET Core Identity Provider.
It would be nice to do role based authorization via [Authorize(Roles= "{Role}")]; however currently it doesn't work; in part probably because cognito (groups/roles) are mapped to cognito:groups claim.
Is there a way to get it to work? (besides writing a custom policy)
have also submitted an issue: https://github.com/aws/aws-aspnet-cognito-identity-provider/issues/86
Other references:
I know this is old however I just managed to get this working without a custom Authoriser.
My page class is defined with:
[Authorize(Roles = "admin")]
public class MyClass : PageModel
{
...
}
The case of "admin" appears to be important (had a similar issue with the logout URL - found it had to be lower case). Initially I had it as "Admin" and it didn't work.
In your "startup.cs" file, where you are setting the "TokenValidationParameters" you set a "RoleClaimType".
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = authOptions.Value.TokenValidationParameters.ValidateIssuer,
RoleClaimType = "cognito:groups"
};