Open Closed

OpenID Connect with Roles #6917

rbohac created

In the process of trying to add Roles to the claims in the JWT in order to make ANZ usable as an SSO. I was able to do this by reading some of the issues in identityserver4 and made a couple lines of changes in the authroization in the startup folder. That said, no matter what I do, the only role claim that is readable is "Admin", any other role that is added to the user comes up with something like this: { "sub": "5", "name": "testUser", "AspNet.Identity.SecurityStamp": "45FE42SK2IAH3TW7VBNQDAD6WCCNKQQF", "role": [ "Admin", "8ac1fcbf73784e1c895e798dad4c83e6", "4d7d67d8393d49e69d2190dc060c04cc" ], "jti": "77c44272-7049-43ae-91df-1b8d73540db2", "iat": 1556466541, "token_validity_key": "5b92fb9d-d2b1-4093-8bd5-0885259b9486", "user_identifier": "5", "nbf": 1556466541, "exp": 1556552941, "iss": "MotionCX", "aud": "MotionCX" }

The lines that I added were:

using Microsoft.AspNetCore.Authentication.OAuth.Claims;

And then, in the open id area, I added the following:

options.ClaimActions.MapJsonKey("role", "role"); options.ClientId = configuration["Authentication:OpenId:ClientId"]; options.Authority = configuration["Authentication:OpenId:Authority"]; options.SignedOutRedirectUri = configuration["App:WebSiteRootAddress"] + "Account/Logout"; options.ResponseType = OpenIdConnectResponseType.IdToken; options.SaveTokens = true; options.GetClaimsFromUserInfoEndpoint = true; options.ClaimActions.Add(new JsonKeyClaimAction("role", "role", "role"));

                options.TokenValidationParameters = new TokenValidationParameters()
                    ValidateIssuer = bool.Parse(configuration["Authentication:OpenId:ValidateIssuer"]),
                    RoleClaimType = "role"

This allowed it to show up (i also tried numerous other ideas there were in the identityserver4 issues in their github issues, but nothing else did any change. I could be doing something silly on this, and I will keep on working on this, but figured I'd open up a ticket just in case you'd already know the issue aroudn it.

4 Answer(s)
  • 0
    rbohac created

    Also, I should at least state that I also tried calling ther /connect/userinfo and checking there as well as ensuring that the client details in the openid scopes has the roles (also tried just role too) in place. I also tried to ensure we were adding the roles inside the IEnumerable

    new IdentityResource{Name = "roles", UserClaims={JwtClaimTypes.Role}} as well as new IdentityResource("roles", new [] { "role"})

    Tried several other items too, but well, hopefully I'm just missing something of the obvious? I was able to add multiple roles in the IdentityServer4 samples as well as the source code. Have pulled all code from aspnetboilerplate and removed nuget packages and pointing to those projects as well as added it to downloaded project that was generated from ANZ. WIll set up another submodule to pull from IdentitySercver4 too.

  • 0
    rbohac created

    Interesting. Have been totally looking at the wrong locations for the issue on this. I had kept seeing the roles showing up with the expected name (i had just made RoleTest and RoleTest2). Looks like this only shows up in "DisplayName", though it is creating the names for it as just as it is listed above in the jwt (as well as in the scope claims). Is this expected?

  • 0
    rbohac created

    Should have went back to the role manager one in aspnetboilerplate. Had read about it but that was several months ago. Going to just add an extra one on the jwt to make this a little easier to follow what is going on (especially with tenants). Closing this

  • 0
    anissov created

    @rbohac hello, I have the same concern as I am trying to retreive Roles from Azure AD when using OpenId. However I was not able to get it done. I am using the latest version of ASPNET ZERO, could you please advise what to do to get the roles from Azure Active Directory?