Azure Ad Returning Roles in Claims but User.IsInRole returns false
Question
Any idea what might be causing this? I can see the claims in User.Claims The only thing I can think of is that the claims from Azure Ad Roles come back differently than what IsInRole() checks for?
CorpAdmin Role showing in claims.
[Startup.Auth][3]
Just to clarify, I AM getting roles back but I think they are not being added to the list of claims correctly and I cannot figure out why. Nerith IsInRole or [Authorize(Roles="...")] will correctly check the roles claims.
5 answers
solution1
8 2017-02-17 18:58:10
Anyone of these changes worked for me:
TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = false,
RoleClaimType = System.Security.Claims.ClaimTypes.Role
},
or
TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = false,
RoleClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
},
solution2
2 2016-04-14 13:58:15
You need to specify the name of the claims type that contains the roles. Like this:
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
RoleClaimType = "roles"
},
solution3
1 2020-10-20 19:33:38
After a lot of digging I found what the issue was for us and some of these answers are correct but only if you have not configured your App Service to have Azure AD enabled.
If you do this the RoleClaimType defined in code will not be used and it will set it to the default of "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", but all your role claims will be "roles".
The solution is to basically copy the claims from "roles" to the ClaimsIdentity.RoleClaimType. The solution was found here and mentioned above.
Solution:
public void ConfigureAuth(IAppBuilder app)
{
//This setting ensures that we use the specified TokenValidationParameters.RoleClaimType below
JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
//Omitted some stuff
TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = true,
RoleClaimType = "roles"
}
}
);
//Configure out OnAuth Method to fix the roles post auth
app.Use((context, next) =>
{
OnAuth(context);
return next.Invoke();
});
app.UseStageMarker(PipelineStage.PostAuthenticate);
}
private static void OnAuth(IOwinContext context)
{
if (ClaimsPrincipal.Current.Identity.IsAuthenticated)
{
var claimsPrincipal = ClaimsPrincipal.Current;
var claimsIdentity = claimsPrincipal.Identity as ClaimsIdentity;
var appRoles = new List<Claim>();
//local dev will be right
if (claimsIdentity.RoleClaimType == "roles")
return;
//Find all the claims with "roles" and add a copy claim with the correct RoleClaimType.
foreach (Claim claim in claimsPrincipal.FindAll("roles"))
appRoles.Add(new Claim(claimsIdentity.RoleClaimType, claim.Value));
if (appRoles.Count > 0)
claimsIdentity.AddClaims(appRoles);
}
}
solution4
0 2017-03-13 02:20:03
If you are having the same issue as I was, I created a custom AuthorizeAttribute class and I forget to override the AuthorizeCore function. Adding the code below resolved the issue for me.
//Core authentication, called before each action
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
return base.AuthorizeCore(httpContext);
}
solution5
-1 2019-10-17 12:25:05
Add Validate Issuer= false;
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
NameClaimType = "name",
RoleClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.