Asp.Net Core Identity with AuthorizeAttribute not working for Roles

Question

So I have currently implemented IdentityServer 4 in a .Net core application using JWT bearer tokens for authentication.

The issue seems to be when using [Authorize(Roles = "Admin")] I am getting the following from the logs: [Information] AuthenticationScheme: "Bearer" was forbidden.

When I have just the [Authorize] attribute it works fine.

Here is the code:

services.AddDbContext<OmbiContext>(options =>
    options.UseSqlite("Data Source=Ombi.db"));

services.AddIdentity<OmbiUser, IdentityRole>()
    .AddEntityFrameworkStores<OmbiContext>()
    .AddDefaultTokenProviders();

services.AddIdentityServer()
    .AddTemporarySigningCredential()
    .AddInMemoryPersistedGrants()
    .AddInMemoryIdentityResources(IdentityConfig.GetIdentityResources())
    .AddInMemoryApiResources(IdentityConfig.GetApiResources())
    .AddInMemoryClients(IdentityConfig.GetClients())
    .AddAspNetIdentity<OmbiUser>();

services.Configure<IdentityOptions>(options =>
{
    options.Password.RequireDigit = false;
    options.Password.RequiredLength = 1;
    options.Password.RequireLowercase = false;
    options.Password.RequireNonAlphanumeric = false;
    options.Password.RequireUppercase = false;
});

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory, IMemoryCache cache)
{
    app.UseIdentity();
    app.UseIdentityServer();
    app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
    {
        Authority = options.Value.WebsiteUrl,
        ApiName = "api",
        ApiSecret = "secret",

        EnableCaching = true,
        CacheDuration = TimeSpan.FromMinutes(10), // that's the default
        RequireHttpsMetadata = options.Value.UseHttps, // FOR DEV set to false
        AutomaticAuthenticate = true,
        AutomaticChallenge = true    
    });
// etc...
}

Code to create the user and role:

 var result = await UserManager.CreateAsync(userToCreate, user.Password);
 if (result.Succeeded)
 {
     if (!(await RoleManager.RoleExistsAsync("Admin")))
     {
         var r = await RoleManager.CreateAsync(new IdentityRole("Admin"));
     }
     var re = await UserManager.AddToRoleAsync(userToCreate, "Admin");
 }

Looking in the database everything is linked up correctly and I can see that, that user has the correct role, but the Authorize attribute still does not work.

EDIT

After a bit more investigation, looking at the User property on the controller when we have the [Authorize] attribute here is the result:

So it seems that we do not even get the username or anything about the user.

Answer 1

I think you might be missing UseJwtBearerAuthentication inside of your Configuration method.

app.UseJwtBearerAuthentication(new JwtBearerOptions()
{
    TokenValidationParameters = new TokenValidationParameters()
    {
        // You can set different kind of validations here.
        // ValidateIssuerSigningKey, ValidateAudience, ValidateIssuer, etc.
    }
});

Answer 2

Looking at the image you have provided, looks like you have 20 claims in your claim list. Try to see what roles/claims do you see in that list!

You can get the list by

var claims = HttpContext.User.Claims.ToList();

foreach (var c in claims)
{
     Console.WriteLine(c.Type + c.Value);
}