Why isn't [Authorize(Roles = "Admin")] working in MVC 5 RTM with ASP.NET Identity?

14
votes

Does [Authorize(Roles = "Admin")] work out of the box in MVC 5 RTM with ASP.NET Identity?

I've had no luck. Note that [Authorize] and [Authorize(Users = "AdminUser")] work just fine, and the AspNetUserRoles and AspNetRoles tables are populated as I would expect them to be, establishing a relationship between the AdminUser user and the Admin role. This issue seems specific to roles.

3
entity-frameworkasp.net-mvc-5asp.net-identity
The Authorize attribute works out-of-the-box with MVC 5 and ASP.NET Identity. The description of the issue you are having is not very clear. Are you saying it only fails when you use the Admin role and not the AdminUser role. Show some code on how you seeded the roles and mapped the users to the roles.Kevin Junghans
Authorize does work out of the box, but setting Roles does not work as expect. When my user, AdminUser, is assigned to the role Admin and I apply the [Authorize(**Roles** = "Admin")] attribute I receive access denied which is not expected. When I apply the [Authorize(**Users**= "AdminUser")] attribute I am permitted access as is expected. As far as my seeding code goes, my tables look exactly as they should with a relationship between the AdminUser user and the Admin role in the AspNetUserRoles table. Does using Roles = "..." work for you with a fresh MVC 5 site?Jeremy Cook
@KevinJunghans I don't know if it matters, but the only table that is not populated is the AspNetUserClaims table.Jeremy Cook
Claims are optional and used for customizing the authorization process. If you would like to see a working example go to the SimpleSecurity Project simplesecurity.codeplex.com/SourceControl/latest#AspNetIdentity/… . You will see an AuthorizeAttribute is used on the About action in the Home controller. Sign in with "user" and "password" and it will let you get to this View.Kevin Junghans
Thanks @KevinJunghans. Your feedback encouraged me to keep trying.Jeremy Cook

3 Answers

12
votes

The user may need to be re-authenticated to receive new claims that include membership in the Admin role. Since MVC 5 uses ASP.NET Identity out of the box, and by default in MVC 5, ASP.NET Identity stores claims like roles in the user's cookies, that information can become stale (hence the database says one thing but the user's cookies say something else). Re-authenticating a user will refresh their claims, including user role claims, to match the current state of the database.

For example:

If a user signs in before being assigned to the Admin role in the database that user will be granted claims but they will not include their assignment to the Admin role. If later, they are added to the Admin role, the claims stored in their cookies are not automatically updated. Instead only the database has been update, the application has to re-authenticate them before their old claims will be replaced with the new claims that include membership in the Admin role. Having the user manually sign out and back in, is the most obvious way re-authenticate that user.

Here's an article on Using Claims in ASP.NET Identity

6
votes

And the answer is the UserManager's DbContext must have lazy loading enabled in order for user roles to manifest in the application in the usual, expected, way. As it turns out, not all of my code was "out of the box." I had customized my DbContext ever so slightly. Hopefully in the future Microsoft will sidestep this integration bug by ensuring the collection is loaded with something like userDbContext.Users.Include(o => o.Roles).SingleOrDefault(...).

  • DO: ApplicationDbContext.Configuration.LazyLoadingEnabled = true;
  • DO NOT: ApplicationDbContext.Configuration.LazyLoadingEnabled = false;

Note that if ApplicationDbContext.Configuration.LazyLoadingEnabled is not set in your code then it defaults to true. So leaving off that line is as good as setting it to true.

Etc.

Here's my guess at what is going on when lazy loading is disabled, the Roles property of the IdentityUser / ApplicationUser object is null or empty when the UserManager or UserStore accesses it because that collection was not manually loaded. The code then carries on like no roles have been assigned to the user when in fact that collection simply was never loaded.

Ah, the aroma of silent failure. Had the code only made some noise when things didn't look right.

-3
votes
<system.webServer>
<modules>
    <remove name="RoleManager" />
</modules>
</system.webServer>