Authenticated request has an incorret RoleClaimType
See original GitHub issueI am using OpenIddict2.0.
My UserManager
create a principal when it treat the OpenIdRequest, this UserManager
is using the ClaimType role
.
Then, when the user is using the token for accessing a resource, the Identity.RoleClaimType
is set to http://schemas.microsoft.com/ws/2008/06/identity/claims/role
instead of role
.
The claim role
is included in the principal, but because it is not http://schemas.microsoft.com/ws/2008/06/identity/claims/role
, ClaimsPrincipal.IsInRole
returns false.
Is there a way for me to customize how OpenIddict is creating the ClaimsPrincipal to fix this?
Issue Analytics
- State:
- Created 4 years ago
- Comments:5 (4 by maintainers)
Top Results From Across the Web
Why does the role claim have incorrect type?
Now, the expression ClaimsPrincipal.Current.FindAll(claimsId.RoleClaimType) returns an empty list, even though I have proper roles assigned.
Read more >Problems when adding Azure AD Authentication and ...
I have problems adding/configuring Azure AD Authentication and Autorization - OpenID. I have tried to do it on the Allow template for ....
Read more >Configure ASP.NET Core Identity
In this article. Identity options; Password Hasher options; Globally require all users to be authenticated; ISecurityStampValidator and SignOut ...
Read more >Mapping, customizing, and transforming claims in ASP. ...
Name has no value or the roles are missing, please check the values in the returned claims and set the NameClaimType and the...
Read more >Why does my Authorize Attribute not work? - leastprivilege.com
So practically speaking, when you call IsInRole, ClaimsPrincipal check its identities if a claim of whatever type you set on RoleClaimType ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
The
NameClaimType
/RoleClaimType
are currently not honored when using introspection, as theClaimsIdentity
is not created by IdentityModel but by OpenIddict in this case.I opened https://github.com/openiddict/openiddict-core/issues/1026 to track that. It’s trivial to fix, so let me know if you’re interested in sending a PR 😄
It will be fixed in the next release. In the meantime, it’s very easy to work around using a tiny handler that runs after
PopulateClaims
and recreates the identity with the correct name/role claim types: