Blazor WebAssembly AuthorizedView with Roles

0
votes

I have a blazor page that is supposed to display a button if the user is in the GRP_FAST_ADMIN role. For testing purposes, if they are not in the role, i print out a list of roles that they are in. The issue is that their claims do show that they have the correct role, but they are still not authorized.

@page "/RestartApplication"


<AuthorizeView Roles="GRP_FAST_ADMIN">
    <Authorized>
        <button class="btn-default" @onclick="() => ViewModel.RestartApplication()">Restart Application</button>
    </Authorized>
    <NotAuthorized>
        @if(Claims !=null)
        {
            @foreach(var claim in Claims)
            {
                <p>@(claim.Type.ToString() + ": " + claim.Value.ToString())</p>
            }
        }
    </NotAuthorized>
</AuthorizeView>

The output from the section:

http://schemas.microsoft.com/ws/2008/06/identity/claims/role: CM_GENERAL_USER

http://schemas.microsoft.com/ws/2008/06/identity/claims/role: ES_GENERAL_USER

http://schemas.microsoft.com/ws/2008/06/identity/claims/role: GRP-PEOPLESOFT-P-GL_GENERAL

http://schemas.microsoft.com/ws/2008/06/identity/claims/role: GRP_AWB_ADMIN

http://schemas.microsoft.com/ws/2008/06/identity/claims/role: GRP_FAST_ADMIN

http://schemas.microsoft.com/ws/2008/06/identity/claims/role: GRP_ILG_RO

http://schemas.microsoft.com/ws/2008/06/identity/claims/role: IB_PWR_USER

http://schemas.microsoft.com/ws/2008/06/identity/claims/role: IBP_POWER_USER

http://schemas.microsoft.com/ws/2008/06/identity/claims/role: MP_ADMIN_GRP

http://schemas.microsoft.com/ws/2008/06/identity/claims/role: OFB_GENERAL_USER

http://schemas.microsoft.com/ws/2008/06/identity/claims/role: PK_GENERAL_USER

http://schemas.microsoft.com/ws/2008/06/identity/claims/role: PT_GENERAL_USER

http://schemas.microsoft.com/ws/2008/06/identity/claims/role: PT_PWR_USER

http://schemas.microsoft.com/ws/2008/06/identity/claims/role: RESORT_OPS_UTILITY

Basic authentication works. I can successfully use for just making sure someone is signed-in. Authorization is setup in the startup of the WebAssembly with this:

 public static IServiceCollection AddPowerToolsWebServices(this IServiceCollection services)
        {
            services.AddDevExpressBlazor();
            services.AddBlazoredLocalStorage();
            services.AddAuthorizationCore();
            services.AddScoped<TokenAuthenticationStateProvider>();
            services.AddScoped<AuthenticationStateProvider, TokenAuthenticationStateProvider>(provider =>
            provider.GetRequiredService<TokenAuthenticationStateProvider>());
            return services;
        }

I am handling the override for GetAuthenticationStateAsync()

 public override async Task<AuthenticationState> GetAuthenticationStateAsync()
        {
            var token = await GetTokenAsync();
            if (string.IsNullOrWhiteSpace(token))
                return _Anonymous;

            _HttpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("bearer", token);
            return new AuthenticationState(new ClaimsPrincipal(new ClaimsIdentity(ParseClaimsFromJwt(token), "jwt")));
        }

This parses all claims and gets each role and adds them individually as a claim. Not sure what I am missing.

1
authenticationauthorizationblazorblazor-webassembly

1 Answers

1
votes

Looks like you will have to transform the role claims with an AccountClaimsPrincipalFactory.

The claim type Blazor expects is just "role" not "http://schemas.microsoft.com/ws/2008/06/identity/claims/role". A factory can achieve this for you then you will be able to use standard blazor components / mechanisms to manage them.

Even with the Individual user accounts option you have to do this as the claims come in a comma separated string.

This is a link for an example. This is not your case but the solution is the same you need to transform the claims you have to what blazor expects.