Role-based authorisation

First of all apologies if this question is really stupid - I’m new to both openiddict and open id connect / oauth.

I’m doing my best to wire up an application through openiddict with the following basic structure:

1. Authentication Server (.net core web api)
2. Web Client (.net core web application)
3. Web Api (.net core web api) - with authorisation

The Web Client is very basic - a static html page that allows: a. The sending of a token request to the Authentication Server, and b. Information retrieval from the web api using the access token received from a. (Jwt)

When I [Authorize] to the controller in my Web Api, the token/client is authorized correctly when both using my Web Client, and through Postman.

However, when I change that to [Authorize(Roles=“admin”)], the request to the Web Api is successful in Postman, but returns a 403 when I make the same request from my Web Client.

I’m probably missing something really simple, but I was just wondering if you could explain to me what is missing / what is needed to allow the authorization against the roles to work when making requests from my Web Client?

My authorization service startup code looks like:

public void ConfigureServices(IServiceCollection services)
{
    // add our db context
    services.AddDbContext<OpenIdDictContext>(options => options.UseSqlServer(Configuration.GetConnectionString("OpenIdDict")));

    // add identity
    // TODO: create custom user manager for custom mhm claims
    services.AddIdentity<OpenIdUser, OpenIdRole>()
        .AddEntityFrameworkStores<OpenIdDictContext>()
        .AddUserManager<OpenIddictUserManager<OpenIdUser>>();

    // add OpenIddict
    // TODO: need to arrange an x509 certificate to use as the signing key
    services.AddOpenIddict<OpenIdUser, OpenIdRole, OpenIdDictContext>()
        .DisableHttpsRequirement()
        .EnableTokenEndpoint("/connect/token")
        .EnableUserinfoEndpoint("/connect/userinfo")
        .AllowPasswordFlow()
        .AllowRefreshTokenFlow()
        .UseJsonWebTokens()
        .AddEphemeralSigningKey();

    services.AddCors();

    // Add framework services.
    services.AddMvc();
}

// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory) 
{
    loggerFactory.AddConsole(Configuration.GetSection("Logging"));
    loggerFactory.AddDebug();

    app.UseCors(builder => builder.WithOrigins("http://localhost:52372"));

    app.UseMvc();

    app.UseOpenIddict();
}

The startup of the web api which is authorizing against the token looks like:

public void ConfigureServices(IServiceCollection services)
{
    services.AddCors();
    // Add framework services.
    services.AddMvc();

    var config = new ConfigurationBuilder()
        .SetBasePath(Directory.GetCurrentDirectory())
        .AddJsonFile("appsettings.json")
        .Build();
}

// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    loggerFactory.AddConsole(Configuration.GetSection("Logging"));
    loggerFactory.AddDebug();

    // use jwt bearer authentication
    app.UseJwtBearerAuthentication(new JwtBearerOptions
    {
        AutomaticAuthenticate = true,
        AutomaticChallenge = true,
        RequireHttpsMetadata = false,
        Audience = "http://localhost:59967/",
        Authority = "http://localhost:59967/",
    });

    app.UseCors(builder => builder.AllowAnyHeader().AllowAnyMethod().AllowAnyOrigin());

    app.UseMvc();
}