Finally got back to this... one quick quesiton though, were you able to get this to work if they start at the b2c end point and then redirecting it after logging in to the ANZ? Only ask this as I'm failing pretty hard on getting that part to work. That said, if I start at ANZ and then choose the external login and go to the b2c, then I can get it to work. I might be missing an obvious on this?
ps: I apologize for having to ask this again. I spent a decent amount of time trying to get this to work... as I'd assume it shouldn't matter as it still ends up hitting the signin-oidc
pss: I think you were able to get it to work from starting at the b2c point... but just want to make sure in case i'm wasting my time
@richardghubert - Awesome, and thanks for the response. I got side tracked for another tasks, so it might be a few days before I have a chance tyo go back on this. Glad to hear you got it working and I also appreciate the info around how the claims issue, as I'm pretty sure that is the issue I'm having currently. Will let you know how it goes. One other question I do have though, are you first logging in through ANZ, and from there, choosing to go through the external open id connect? I was able to get that to work when using the ADD (issue i'm having was in b2c, but think the claim issue you specified will likely resolve that one).
Anyways, thanks again for the info!
@richardghubert or @ismcagdas
Quick question on this, were you able to get it to work? I think I was able to get it to work (though having issues with api management... but that is a different topic).
I also have one additional question around this, if I were to remove the internal login completely and just use the external login with b2c... I know this likely would need some changese especially with non-tenant users... Maybe a better question, do you know of any examples where someone has done that in abp and/or anz?
Should have went back to the role manager one in aspnetboilerplate. Had read about it but that was several months ago. Going to just add an extra one on the jwt to make this a little easier to follow what is going on (especially with tenants). Closing this
Interesting. Have been totally looking at the wrong locations for the issue on this. I had kept seeing the roles showing up with the expected name (i had just made RoleTest and RoleTest2). Looks like this only shows up in "DisplayName", though it is creating the names for it as just as it is listed above in the jwt (as well as in the scope claims). Is this expected?
Also, I should at least state that I also tried calling ther /connect/userinfo and checking there as well as ensuring that the client details in the openid scopes has the roles (also tried just role too) in place. I also tried to ensure we were adding the roles inside the IEnumerable<IdentityResource> too (i think I forgot to note that in the code above). This was done in the IdentityServerConfig file, and tried both these lines:
new IdentityResource{Name = "roles", UserClaims={JwtClaimTypes.Role}} as well as new IdentityResource("roles", new [] { "role"})
Tried several other items too, but well, hopefully I'm just missing something of the obvious? I was able to add multiple roles in the IdentityServer4 samples as well as the source code. Have pulled all code from aspnetboilerplate and removed nuget packages and pointing to those projects as well as added it to downloaded project that was generated from ANZ. WIll set up another submodule to pull from IdentitySercver4 too.