How to use IdentityServer4 Access Token and [Authorize] attribute

1
votes

I have the solution with projects: IdentityServer4, ApiServer, MvcClient. I use Hybrid flow. Auth works very well but I can't get the role in MvcClient.

In the MvсСlient app, after authorization, I get access_token. The token contains the necessary claims. But the MVC application cannot access to the user role.

That is, it is assumed that I will call the external API from the MVC application. But I also need the MVC application to be able to use the user role.

Attribute [Authorize] works fine but [Authorize(Roles = "admin")] doesn't work!

Source code here: gitlab

1
c#asp.netasp.net-mvcasp.net-coreidentityserver4
It's hard to understand the reason of your problem without provided source code - Alex Riabov
Ok! This project on gitlab - user2614682
Add user role to your claims. - prisar
It doesn't work - user2614682
With 2.1 there are some security changes, please read this: leastprivilege.com/2018/07/16/… - Ruard van Elburg

1 Answers

2
votes

Unfortunately, I have not found a better solution than to intercept the Access Token event. Then I parsed it and manually added claims to the cookie.

                options.Events = new OpenIdConnectEvents
                {
                    OnTokenResponseReceived = xxx =>
                    {
                        JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
                        JwtSecurityToken jwt = handler.ReadJwtToken(xxx.TokenEndpointResponse.AccessToken);

                        var claimsIdentity = (ClaimsIdentity) xxx.Principal.Identity;
                        claimsIdentity.AddClaims(jwt.Claims);
                        return Task.FromResult(0);
                    }
                };

I will be very grateful to you! If you look at the source code of the project (it has been updated to asp.net core 2.1) and offer the best option!