Change default RoleClaimType to 'role'

[DermotMurphy]

Hi,

I am trying out your Blazor Web App template.

Microsoft seem to hijack the NameClaimType and the RoleClaimType and in a method 'ConfigureOpenIdConnect' you set the NameClaimType to 'name' but don't touch the RoleClaimType.

How would you advise I approach changing from the default 'http://schemas.microsoft.com/ws/2008/06/identity/claims/role' to 'role'?

In addition, I like to use the OpenIdConnectEvents.OnTicketReceived to perform local claims manipulation and would like your comments on this approach:

JsonWebTokenHandler.DefaultInboundClaimTypeMap.Clear();

builder.Services
    .AddAuth0WebAppAuthentication(options => {
      options.Domain = builder.Configuration["Auth0:Domain"];
      options.ClientId = builder.Configuration["Auth0:ClientId"];

      options.OpenIdConnectEvents = new OpenIdConnectEvents
      {
          OnTicketReceived = async ticketReceivedContext =>
          {
              if (ticketReceivedContext.Principal?.Identity is ClaimsIdentity identity)
              {
                  identity.AddClaim(new Claim("FavouriteColour", "red"));
              }
              await Task.Yield();
          }
      };
    });

Your template makes the creation of a Blazor Web Application using Auth0 much easier, so I thank you for your efforts

[andychiare]

Hi @DermotMurphy, thanks for your feedback on the templates. I really appreciate it 🙏

Regarding the NameClaimType mapping, it's actually not the template that handles it. It's the Auth0 ASP.NET Core Authentication SDK. While your suggestion to also map the role claim seems to make sense, it's not always the case. For example, the following directive@attribute [Authorize(Roles = "Author")] relies on the http://schemas.microsoft.com/ws/2008/06/identity/claims/role claim name. If you change it to role, it will not work anymore. If you want to learn more about Blazor and roles, you might find this article useful.

Regarding the approach you are using to do local claim manipulation, it looks good to me. Alternatively, you may want to consider using Auth0 Actions if it is suitable for your use case.

I hope this helps.

[DermotMurphy]

Wow,

Quick response Andrea. 👏

Using Auth0 actions may prove tricky as different applications within the same tenant require different authorizations.

I have been looking at actions particularly how me might harvest extra data from a user post login.

Thanks again for your sterling work.

Dermot

On Mon, 3 Jun 2024, 16:48 Andrea Chiarelli, @.***> wrote:

Hi @DermotMurphy https://github.com/DermotMurphy, thanks for your feedback on the templates. I really appreciate it 🙏

Regarding the NameClaimType mapping, it's actually not the template that handles it. It's the Auth0 ASP.NET Core Authentication SDK https://github.com/auth0/auth0-aspnetcore-authentication/blob/main/src/Auth0.AspNetCore.Authentication/AuthenticationBuilderExtensions.cs . While your suggestion to also map the role claim seems to make sense, it's not always the case. For example, the following @.*** [Authorize(Roles = "Author")] relies on the http://schemas.microsoft.com/ws/2008/06/identity/claims/role claim name. If you change it to role, it will not work anymore. If you want to learn more about Blazor and roles, you might find this article https://auth0.com/blog/role-based-access-control-in-blazor-apps/ useful.

Regarding the approach you are using to do local claim manipulation, it looks good to me. Alternatively, you may want to consider using Auth0 Actions https://auth0.com/blog/adding-custom-claims-to-id-token-with-auth0-actions/ if it is suitable for your use case.

I hope this helps.

— Reply to this email directly, view it on GitHub https://github.com/auth0/auth0-dotnet-templates/issues/35#issuecomment-2145557003, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACPKZR4KJNMNRX54R3RAHWLZFSF6XAVCNFSM6AAAAABISTI3XSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBVGU2TOMBQGM . You are receiving this because you were mentioned.Message ID: @.***>