How to handle multiple roles for same user and Authorize an api

[Munde]

Hello Skoruba ,
Thanks for this nice project it helps a lot

But am having two issues

1. is how can allow multiple roles for a single user , this comes i hand when i have more than one application where user can be able to share the login i tried to implement but it ends up in access denied page failing to authorize the user

2. what are the best way to authorize the API, i tried to implement but it works only on first minute after first minute the API loses access hence preventing user to have access to an API and the refresh token is invalid and throws an error when i try to renew the access token using the refresh token

[skoruba]

Hey @Munde,
1.) Have you inspect the token - if the token contains a list of roles as you requested from IS4? Btw: did you mean - add more roles to single user via view - /Identity/UserRoles?
2.) I can highly recommend take a look at Samples of IdentityServer4 - there are a lot of great example how to work with API.

[skoruba]

Here: https://github.com/IdentityServer/IdentityServer4.Samples
Sorry - I accidentally closed it from my mobile. :))

[Munde]

yes i mean multiple roles via identity/UserRoles yes like a may posses two or more roles and i can authorize using one or more roles in the application,
like
[Authorize(Roles="SkorubaAdministrator,SuperAdmin,Customer")]
when i assign more than one role to the user i end up getting access denied

like this when i assign multiple roles it only first role n discard other role

[skoruba]

Could you please check the User object and claims - if the roles are part of these claims?
Does your client ask for roles in scope?
Thanks!

[skoruba]

Btw: take a look here IdentityServer/IdentityServer4#1786 (comment)

[Munde]

Yes my client ask role as a part of its scope, when i do assign single role it works as expected but when i add multiple roles to same user i end up i getting this error

and this are the setting in my AddOpenId

i tried both using
options.ClaimActions.MapUniqueJsonKey("role", "role","roles");
and options.ClaimActions.MapUniqueJsonKey("role", "role","role"); still i get the above error

[skoruba]

OK, I will check it later.
Thanks for reporting

[Munde]

We have been able to solve it by adding this piece of code on option.Events
OnUserInformationReceived = async context => { if (context.User.TryGetValue(JwtClaimTypes.Role, out JToken role)) { var claims = new List<Claim>(); if (role.Type != JTokenType.Array) { claims.Add(new Claim(JwtClaimTypes.Role, (string)role)); } else { foreach (var r in role) claims.Add(new Claim(JwtClaimTypes.Role, (string)r)); } var id = context.Principal.Identity as ClaimsIdentity; id.AddClaims(claims); } }